GetIdentityContext - Amazon Quick Sight
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

GetIdentityContext

Retrieves the identity context for a Quick Sight user in a specified namespace, allowing you to obtain identity tokens that can be used with identity-enhanced IAM role sessions to call identity-aware APIs.

Currently, you can call the following APIs with identity-enhanced Credentials

Supported Authentication Methods

This API supports Quick Sight native users, IAM federated users, and Active Directory users. For Quick Sight users authenticated by AWS Identity Center, see Identity Center documentation on identity-enhanced IAM role sessions.

Getting Identity-Enhanced Credentials

To obtain identity-enhanced credentials, follow these steps:

  • Call the GetIdentityContext API to retrieve an identity token for the specified user.

  • Use the identity token with the STS AssumeRole API to obtain identity-enhanced IAM role session credentials.

Usage with STS AssumeRole

The identity token returned by this API should be used with the STS AssumeRole API to obtain credentials for an identity-enhanced IAM role session. When calling AssumeRole, include the identity token in the ProvidedContexts parameter with ProviderArn set to arn:aws:iam::aws:contextProvider/QuickSight and ContextAssertion set to the identity token received from this API.

The assumed role must allow the sts:SetContext action in addition to sts:AssumeRole in its trust relationship policy. The trust policy should include both actions for the principal that will be assuming the role.

Request Syntax

POST /accounts/AwsAccountId/identity-context HTTP/1.1
Content-type: application/json

{
   "Namespace": "string",
   "SessionExpiresAt": number,
   "UserIdentifier": { ... }
}

URI Request Parameters

The request uses the following URI parameters.

AwsAccountId

The ID for the AWS account that the user whose identity context you want to retrieve is in. Currently, you use the ID for the AWS account that contains your Quick Sight account.

Length Constraints: Fixed length of 12.

Pattern: ^[0-9]{12}$

Required: Yes

Request Body

The request accepts the following data in JSON format.

UserIdentifier

The identifier for the user whose identity context you want to retrieve.

Type: UserIdentifier object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: Yes

Namespace

The namespace of the user that you want to get identity context for. This parameter is required when the UserIdentifier is specified using Email or UserName.

Type: String

Length Constraints: Maximum length of 64.

Pattern: ^[a-zA-Z0-9._-]*$

Required: No

SessionExpiresAt

The timestamp at which the session will expire.

Type: Timestamp

Required: No

Response Syntax

HTTP/1.1 Status
Content-type: application/json

{
   "Context": "string",
   "RequestId": "string"
}

Response Elements

If the action is successful, the service sends back the following HTTP response.

Status

The HTTP status of the request.

The following data is returned in JSON format by the service.

RequestId

The AWS request ID for this operation.

Type: String

Context

The identity context information for the user. This is an identity token that should be used as the ContextAssertion parameter in the STS AssumeRole API call to obtain identity enhanced AWS credentials.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

You don't have access to this item. The provided credentials couldn't be validated. You might not be authorized to carry out the request. Make sure that your account is authorized to use the Amazon Quick Sight service, that your policies have the correct permissions, and that you are using the correct credentials.

RequestId

The AWS request ID for this request.

HTTP Status Code: 401

InternalFailureException

An internal failure occurred.

RequestId

The AWS request ID for this request.

HTTP Status Code: 500

InvalidParameterValueException

One or more parameters has a value that isn't valid.

RequestId

The AWS request ID for this request.

HTTP Status Code: 400

PreconditionNotMetException

One or more preconditions aren't met.

RequestId

The AWS request ID for this request.

HTTP Status Code: 400

ResourceNotFoundException

One or more resources can't be found.

RequestId

The AWS request ID for this request.

ResourceType

The resource type for this request.

HTTP Status Code: 404

ThrottlingException

Access is throttled.

RequestId

The AWS request ID for this request.

HTTP Status Code: 429

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: