Step 1: Set up permissions
Note
The embedded QuickSight Q search bar provides the classic QuickSight Q&A experience. QuickSight integrates with Amazon Q Business to launch a new Generative Q&A experience. Developers are recommended to use the new Generative Q&A experience. For more information on the embedded Generative Q&A experience, see Embed the Amazon Q in QuickSight Generative Q&A experience.
In the following section, you can find how to set up permissions for your backend application or web server to embed the Q search bar. This task requires administrative access to AWS Identity and Access Management (IAM).
Each user who accesses a Q search bar assumes a role that gives them Amazon QuickSight access and permissions to the Q search bar. To make this possible, create an IAM role in your AWS account. Associate an IAM policy with the role to provide permissions to any user who assumes it. The IAM role needs to provide permissions to retrieve embedding URLs for a specific user pool.
With the help of the wildcard character *, you can grant the
permissions to generate a URL for all users in a specific namespace. Or you can grant
permissions to generate a URL for a subset of users in specific namespaces. For this,
you add quicksight:GenerateEmbedUrlForAnonymousUser
.
You can create a condition in your IAM policy that limits the domains that
developers can list in the AllowedDomains
parameter of a
GenerateEmbedUrlForAnonymousUser
API operation. The
AllowedDomains
parameter is an optional parameter. It grants developers
the option to override the static domains that are configured in the Manage
QuickSight menu and instead list up to three domains or subdomains that
can access a generated URL. This URL is then embedded in a developer's website. Only the
domains that are listed in the parameter can access the embedded Q search bar. Without
this condition, developers can list any domain on the internet in the
AllowedDomains
parameter.
To limit the domains that developers can use with this parameter, add an
AllowedEmbeddingDomains
condition to your IAM policy. For more
information about the AllowedDomains
parameter, see GenerateEmbedUrlForAnonymousUser in the Amazon QuickSight API
Reference.
The following sample policy provides these permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:GenerateEmbedUrlForAnonymousUser" ], "Resource": [ "arn:{{
partition
}}:quicksight:{{region
}}:{{accountId
}}:namespace/{{namespace
}}", "arn:{{partition
}}:quicksight:{{region
}}:{{accountId
}}:dashboard/{{dashboardId-1
}}", "arn:{{partition
}}:quicksight:{{region
}}:{{accountId
}}:dashboard/{{dashboardId-2
}}" ], "Condition": { "ForAllValues:StringEquals": { "quicksight:AllowedEmbeddingDomains": [ "https://my.static.domain1.com", "https://*.my.static.domain2.com" ] } } }
Your application's IAM identity must have a trust policy associated with it to allow access to the role that you just created. This means that when a user accesses your application, your application can assume the role on the user's behalf to open the Q search bar. The following example shows a sample trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowLambdaFunctionsToAssumeThisRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Sid": "AllowEC2InstancesToAssumeThisRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
For more information regarding trust policies, see Temporary security credentials in IAM in the IAM User Guide