本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
步驟 2:生成附加URL的身份驗證碼
在以下部分中,您可以了解如何驗證您的用戶並在應用程序服務器URL上獲取可嵌入的儀表板。如果您計劃內嵌儀表板IAM或 QuickSight 身分類型,請與使用者共用儀表板。
當用戶訪問您的應用程序時,該應用程序代表用戶擔任該IAM角色。然後它將用戶添加到 QuickSight,如果該用戶不存在。接著,它傳遞識別符當作唯一的角色工作階段 ID。
執行這些步驟可確保儀表板的每個檢視器都是在中唯一佈建的 QuickSight。它還會強制執行個別使用者設定,例如資料列層級的安全性和參數的動態預設值。
下列範例會代表使用者執行IAM驗證。此代碼在您的應用程式伺服器上運行。
- Java
-
import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.BasicAWSCredentials; import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.regions.Regions; import com.amazonaws.services.quicksight.AmazonQuickSight; import com.amazonaws.services.quicksight.AmazonQuickSightClientBuilder; import com.amazonaws.services.quicksight.model.GenerateEmbedUrlForRegisteredUserRequest; import com.amazonaws.services.quicksight.model.GenerateEmbedUrlForRegisteredUserResult; import com.amazonaws.services.quicksight.model.RegisteredUserEmbeddingExperienceConfiguration; import com.amazonaws.services.quicksight.model.RegisteredUserDashboardEmbeddingConfiguration; /** * Class to call QuickSight AWS SDK to get url for dashboard embedding. */ public class GetQuicksightEmbedUrlRegisteredUserDashboardEmbedding { private final AmazonQuickSight quickSightClient; public GetQuicksightEmbedUrlRegisteredUserDashboardEmbedding() { this.quickSightClient = AmazonQuickSightClientBuilder .standard() .withRegion(Regions.US_EAST_1.getName()) .withCredentials(new AWSCredentialsProvider() { @Override public AWSCredentials getCredentials() { // provide actual IAM access key and secret key here return new BasicAWSCredentials("access-key", "secret-key"); } @Override public void refresh() {} } ) .build(); } public String getQuicksightEmbedUrl( final String accountId, // AWS Account ID final String dashboardId, // Dashboard ID to embed final List<String> allowedDomains, // Runtime allowed domain for embedding final String userArn // Registered user arn to use for embedding. Refer to Get Embed Url section in developer portal to find out how to get user arn for a QuickSight user. ) throws Exception { final RegisteredUserEmbeddingExperienceConfiguration experienceConfiguration = new RegisteredUserEmbeddingExperienceConfiguration() .withDashboard(new RegisteredUserDashboardEmbeddingConfiguration().withInitialDashboardId(dashboardId)); final GenerateEmbedUrlForRegisteredUserRequest generateEmbedUrlForRegisteredUserRequest = new GenerateEmbedUrlForRegisteredUserRequest(); generateEmbedUrlForRegisteredUserRequest.setAwsAccountId(accountId); generateEmbedUrlForRegisteredUserRequest.setUserArn(userArn); generateEmbedUrlForRegisteredUserRequest.setAllowedDomains(allowedDomains); generateEmbedUrlForRegisteredUserRequest.setExperienceConfiguration(experienceConfiguration); final GenerateEmbedUrlForRegisteredUserResult generateEmbedUrlForRegisteredUserResult = quickSightClient.generateEmbedUrlForRegisteredUser(generateEmbedUrlForRegisteredUserRequest); return generateEmbedUrlForRegisteredUserResult.getEmbedUrl(); } } - JavaScript
-
global.fetch = require('node-fetch'); const AWS = require('aws-sdk'); function generateEmbedUrlForRegisteredUser( accountId, dashboardId, openIdToken, // Cognito-based token userArn, // registered user arn roleArn, // IAM user role to use for embedding sessionName, // Session name for the roleArn assume role allowedDomains, // Runtime allowed domain for embedding getEmbedUrlCallback, // GetEmbedUrl success callback method errorCallback // GetEmbedUrl error callback method ) { const stsClient = new AWS.STS(); let stsParams = { RoleSessionName: sessionName, WebIdentityToken: openIdToken, RoleArn: roleArn } stsClient.assumeRoleWithWebIdentity(stsParams, function(err, data) { if (err) { console.log('Error assuming role'); console.log(err, err.stack); errorCallback(err); } else { const getDashboardParams = { "AwsAccountId": accountId, "ExperienceConfiguration": { "Dashboard": { "InitialDashboardId": dashboardId } }, "UserArn": userArn, "AllowedDomains": allowedDomains, "SessionLifetimeInMinutes": 600 }; const quicksightClient = new AWS.QuickSight({ region: process.env.AWS_REGION, credentials: { accessKeyId: data.Credentials.AccessKeyId, secretAccessKey: data.Credentials.SecretAccessKey, sessionToken: data.Credentials.SessionToken, expiration: data.Credentials.Expiration } }); quicksightClient.generateEmbedUrlForRegisteredUser(getDashboardParams, function(err, data) { if (err) { console.log(err, err.stack); errorCallback(err); } else { const result = { "statusCode": 200, "headers": { "Access-Control-Allow-Origin": "*", // Use your website domain to secure access to GetEmbedUrl API "Access-Control-Allow-Headers": "Content-Type" }, "body": JSON.stringify(data), "isBase64Encoded": false } getEmbedUrlCallback(result); } }); } }); } - Python3
-
import json import boto3 from botocore.exceptions import ClientError sts = boto3.client('sts') # Function to generate embedded URL # accountId: AWS account ID # dashboardId: Dashboard ID to embed # userArn: arn of registered user # allowedDomains: Runtime allowed domain for embedding # roleArn: IAM user role to use for embedding # sessionName: session name for the roleArn assume role def getEmbeddingURL(accountId, dashboardId, userArn, allowedDomains, roleArn, sessionName): try: assumedRole = sts.assume_role( RoleArn = roleArn, RoleSessionName = sessionName, ) except ClientError as e: return "Error assuming role: " + str(e) else: assumedRoleSession = boto3.Session( aws_access_key_id = assumedRole['Credentials']['AccessKeyId'], aws_secret_access_key = assumedRole['Credentials']['SecretAccessKey'], aws_session_token = assumedRole['Credentials']['SessionToken'], ) try: quicksightClient = assumedRoleSession.client('quicksight', region_name='us-west-2') response = quicksightClient.generate_embed_url_for_registered_user( AwsAccountId=accountId, ExperienceConfiguration = { "Dashboard": { "InitialDashboardId": dashboardId } }, UserArn = userArn, AllowedDomains = allowedDomains, SessionLifetimeInMinutes = 600 ) return { 'statusCode': 200, 'headers': {"Access-Control-Allow-Origin": "*", "Access-Control-Allow-Headers": "Content-Type"}, 'body': json.dumps(response), 'isBase64Encoded': bool('false') } except ClientError as e: return "Error generating embedding url: " + str(e) - Node.js
-
下列範例顯示您可以在應用程式伺服器上用來產生內嵌儀表板URL的 JavaScript (Node.js)。您可以在網站或應用程序URL中使用此功能來顯示儀表板。
const AWS = require('aws-sdk'); const https = require('https'); var quicksightClient = new AWS.Service({ apiConfig: require('./quicksight-2018-04-01.min.json'), region: 'us-east-1', }); quicksightClient.generateEmbedUrlForRegisteredUser({ 'AwsAccountId': '111122223333', 'ExperienceConfiguration': { 'Dashboard': { 'InitialDashboardId': '1c1fe111-e2d2-3b30-44ef-a0e111111cde' } }, 'UserArn': 'REGISTERED_USER_ARN', 'AllowedDomains': allowedDomains, 'SessionLifetimeInMinutes': 100 }, function(err, data) { console.log('Errors: '); console.log(err); console.log('Response: '); console.log(data); });//The URL returned is over 900 characters. For this example, we've shortened the string for //readability and added ellipsis to indicate that it's incomplete. { Status: 200, EmbedUrl: 'https://quicksightdomain/embed/12345/dashboards/67890...' RequestId: '7bee030e-f191-45c4-97fe-d9faf0e03713' } - .NET/C#
-
下列範例顯示. NET/C #代碼,您可以在應用程式伺服器上使用來產生嵌入式儀URL表板的。您可以在網站或應用程序URL中使用此功能來顯示儀表板。
using System; using Amazon.QuickSight; using Amazon.QuickSight.Model; namespace GenerateDashboardEmbedUrlForRegisteredUser { class Program { static void Main(string[] args) { var quicksightClient = new AmazonQuickSightClient( AccessKey, SecretAccessKey, SessionToken, Amazon.RegionEndpoint.USEast1); try { RegisteredUserDashboardEmbeddingConfiguration registeredUserDashboardEmbeddingConfiguration = new RegisteredUserDashboardEmbeddingConfiguration { InitialDashboardId = "dashboardId" }; RegisteredUserEmbeddingExperienceConfiguration registeredUserEmbeddingExperienceConfiguration = new RegisteredUserEmbeddingExperienceConfiguration { Dashboard = registeredUserDashboardEmbeddingConfiguration }; Console.WriteLine( quicksightClient.GenerateEmbedUrlForRegisteredUserAsync(new GenerateEmbedUrlForRegisteredUserRequest { AwsAccountId = "111122223333", ExperienceConfiguration = registeredUserEmbeddingExperienceConfiguration, UserArn = "REGISTERED_USER_ARN", AllowedDomains = allowedDomains, SessionLifetimeInMinutes = 100 }).Result.EmbedUrl ); } catch (Exception ex) { Console.WriteLine(ex.Message); } } } } - AWS CLI
-
若要擔任該角色,請選擇下列 AWS Security Token Service (AWS STS) API 操作之一:
-
AssumeRole— 當您使用IAM身份承擔角色時,請使用此操作。
-
AssumeRoleWithWebIdentity— 當您使用 Web 身份提供商來驗證您的用戶時,請使用此操作。
-
AssumeRoleWithSaml— 當您使用驗證使用者時,請SAML使用此作業。
下列範例顯示設定IAM角色的CLI命令。角色需要啟用
quicksight:GenerateEmbedUrlForRegisteredUser的許可。如果您正在採取一 just-in-time 種方法在使用者第一次開啟儀表板時新增使用者,則該角色還需要為其啟用權限quicksight:RegisterUser。aws sts assume-role \ --role-arn "arn:aws:iam::111122223333:role/embedding_quicksight_dashboard_role" \ --role-session-namejohn.doe@example.comassume-role操作會傳回三個輸出參數:存取金鑰、私密金鑰和工作階段字符。注意
若您呼叫
AssumeRole操作時收到ExpiredToken錯誤,原因可能是先前的SESSION TOKEN仍在環境變數中。設定以下變數便可清除此錯誤:-
AWS_ACCESS_KEY_ID
-
AWS_SECRET_ACCESS_KEY
-
AWS_SESSION_TOKEN
下列範例顯示如何在中設定這三個參數CLI。如果您使用 Microsoft Windows 電腦,請使用
set,不要使用export。export AWS_ACCESS_KEY_ID = "access_key_from_assume_role" export AWS_SECRET_ACCESS_KEY = "secret_key_from_assume_role" export AWS_SESSION_TOKEN = "session_token_from_assume_role"對於瀏覽您網站的使用者,執行這些命令可將其角色工作階段 ID 設為
embedding_quicksight_dashboard_role/john.doe@example.com。角色工作階段 ID 由來自role-arn和role-session-name值的角色名稱所組成。對每個使用者使用唯一的角色工作階段 ID,可確保為每個使用者設定適當的許可。還能避免對使用者存取進行任何調節。節流是一項安全性功能,可防止相同使用者 QuickSight 從多個位置存取。角色工作階段 ID 也會成為中的使用者名稱 QuickSight。您可以使用此模式提 QuickSight 前佈建使用者,或在使用者第一次存取儀表板時佈建使用者。
下列範例顯示可用來佈建使用者的CLI命令。如需有關RegisterUserDescribeUser、和其他 QuickSight API作業的詳細資訊,請參閱〈參QuickSight API考〉。
aws quicksight register-user \ --aws-account-id111122223333\ --namespacedefault\ --identity-typeIAM\ --iam-arn "arn:aws:iam::111122223333:role/embedding_quicksight_dashboard_role" \ --user-roleREADER\ --user-namejhnd\ --session-name "john.doe@example.com" \ --emailjohn.doe@example.com\ --regionus-east-1\ --custom-permissions-nameTeamA1如果使用者是透過 Microsoft AD 進行身分驗證,您就不需要使用
RegisterUser設定他們。相反,他們應該在第一次訪問時自動訂閱 QuickSight。對於 Microsoft AD 用戶,您可以使用DescribeUser來獲取用戶ARN。使用者第一次存取時 QuickSight,您也可以將此使用者新增至共用儀表板的群組。下列範例顯示將使用者新增至群組的CLI命令。
aws quicksight create-group-membership \ --aws-account-id=111122223333\ --namespace=default \ --group-name=financeusers\ --member-name="embedding_quicksight_dashboard_role/john.doe@example.com"您現在擁有應用程序的用戶,該用戶也是該用戶 QuickSight,並且可以訪問儀表板。
最後,要獲得儀表板URL的簽名,請
generate-embed-url-for-registered-user從應用程序服務器調用。這將返回可嵌入的儀表板URL。下列範例顯示如何使用伺服器端呼叫,URL針對透過 AWS Managed Microsoft AD 或單一登入 (IAMIdentity Center) 驗證的使用者,為內嵌儀表板產生。aws quicksight generate-embed-url-for-registered-user \ --aws-account-id111122223333\ --session-lifetime-in-minutes600\ --user-arnarn:aws:quicksight:us-east-1:111122223333:user/default/embedding_quicksight_visual_role/embeddingsession\ --allowed-domains '["domain1","domain2"]' \ --experience-configuration Dashboard={InitialDashboardId=1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89}如需使用此操作的詳細資訊,請參閱 GenerateEmbedUrlForRegisteredUser。您可以在自己的代碼中使用此API操作和其他操作。
-
步驟 1:設定許可
步驟 3:嵌入 URL