QuickSightUserNotFoundException When getting a AWS Quicksight embed URL with cognito user

Question

I'm trying to get a Quicksight embed URL in a lambda function,

The lambda function receives a jwtToken from the frontend created on a react app using aws amplify, all the cognito setup works well (userpool and identity pool), the user receives the role "arn:aws:iam::xx:role/Cognito_qa1_Admin" when logging in,

The role has permissions to quicksight:registerUser and quicksight:getDashboardEmbedUrl

var cognitoIdentity = new AWS.CognitoIdentity();
  var params = {
    IdentityPoolId: "eu-west-2:xxx-291d-xx-b9a7-8b27c73c796c", // your identity pool id here
    Logins: {
      // your logins here
      "cognito-idp.eu-west-2.amazonaws.com/eu-west-2_xxx": event.jwtToken,
    },
  };
  // Get cognito identity from jwtToken
  cognitoIdentity.getId(params, function (err, data) {
    if (err) {
      return callback(err);
    }
    var roleArn = "arn:aws:iam::xx:role/Cognito_qa1_Admin"; // your cognito authenticated role arn here

    data.Logins = params.Logins;
    // Get credentials for the identity (it also does the AssumeRoleWithWebIdentity)
    cognitoIdentity.getCredentialsForIdentity(data, function (err, data) {
      console.log(data);
      if (err) {
        return callback(err);
      }
      // update credentials with web identity ones
      AWS.config.update({
        region: "eu-west-2",
        accessKeyId: data.Credentials.AccessKeyId,
        secretAccessKey: data.Credentials.SecretKey,
        sessionToken: data.Credentials.SessionToken,
        expiration: data.Credentials.Expiration,
      });

      const quicksight = new AWS.QuickSight();

      var getDashboardParams = {
        AwsAccountId: "xx",
        DashboardId: "a048efb6-3d3c-xx-8920-xxx",
        IdentityType: "IAM",
        ResetDisabled: false,
        SessionLifetimeInMinutes: 100,
        UndoRedoDisabled: false,
      };

      var registerUserParams = {
        AwsAccountId: "xxx",
        Email: event.userEmail,
        IdentityType: "IAM",
        Namespace: "default",
        UserRole: "READER",
        IamArn: roleArn,
        SessionName: event.payloadSub,
      };

      // register user, this one works well
      quicksight.registerUser(registerUserParams, function (err, data) {
        if (err) {
          if (err.code !== "ResourceExistsException") {
            console.log("error registering user");
            return callback(err);
          }
          console.log("user already exists");
        }
        console.log("User registration data", data);
        // Get dashboard url, this is the one failing with QuickSightUserNotFoundException
        quicksight.getDashboardEmbedUrl(getDashboardParams, function (
          err,
          data
        ) {
          if (err) {
            console.log("getDashboardEmbedUrl error", err);
            return callback(err);
          }
          callback(null, data);
        });
      });
    });
  });

Everything goes smooth, the credentials for the web identity are retrieved and set to the config, the registerUser call registers the user (or returns user already exists error)

But the getDashboardEmbedUrl fails with QuickSightUserNotFoundException: Could not find user information in QuickSight

If I call sts.getCallerIdentity after setting the credentials I get this

{
  ResponseMetadata: { RequestId: 'd5cb26f1-f2f5-4148-87e5-74d6c998fb91' },
  UserId: 'AROAU63RLM5WIRTFDRETQ:CognitoIdentityCredentials',
  Account: 'xxx',
  Arn: 'arn:aws:sts::xxx:assumed-role/Cognito_qa1_Admin/CognitoIdentityCredentials'
}

Any idea? Thanks a lot in advance

Answer 1

When registering the user the IdentityType has to be IAM but for getDashboardEmbedUrl it has to be type QUICKSIGHT and you need to pass UserArn which you can find in the response from registerUser