How to create QuickSight snapshots as a federated IAM User

The issue

Creating programmatic snapshots of AWS QuickSight dashboard outputs as PDF/Excel/CSV files was more complex than I have expected. You have to use the start-dashboard-snapshot-job API command for creating snapshots. But before I can execute this API call I needed to obtain identity-enhanced IAM role session credentials from AWS STS (AWS Security Token Service). These credentials contain additional information about the end user making the requests towards AWS QuickSight.

In the following section I will explain how to achieve this.

The solution

Identity-enhanced IAM role session credentials are created from usual STS session credentials plus an identity context. When creating such credentials the identity context is used for looking up “the group memberships and attributes of the user in IAM Identity Center” and to “authorize the user’s access to resources” (https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-identity-enhanced-iam-role-sessions.html).

The workflow is as follows (using AWS CLI commands and env variables):

Log in to your AWS Account and export your credentials as environment variables:

export AWS_ACCESS_KEY_ID="AKIAI..."

export AWS_SECRET_ACCESS_KEY="..."

export AWS_DEFAULT_REGION="..."

export AWS_SESSION_TOKEN="..."

Now get the identity context for your user (identified via email address) from AWS QuickSight (adjust namespace if necessary):

context=$(aws quicksight get-identity-context --aws-account-id 123456789 --user-identifier "{ \"Email\": \"abc.def@example.com\"}" --namespace default | jq -r .Context)

Now call the CLI command assume-role with the retrieved identity context. But be aware: the trust relationship of this role must allow the “sts:setContext” action (besides “sts:AssumeRole”)!

identity_enhanced_creds=$(aws sts assume-role --role-arn arn:aws:iam:123456789:role/quicksight-access --role-session-name test123 --provided contexts "[{\"ProviderArn\":\"arn:aws:iam:aws:contextProvider/QuickSight\",\"ContextAssertion\":\"$context\"}]")

Now you can set the enhanced session credentials as environment variables, e.g:

export AWS_ACCESS_KEY_ID=$(echo "$identity_enhanced_creds" | jq -r .Credentials.AccessKeyId)

export AWS_SECRET_ACCESS_KEY=$(echo "$identity_enhanced_creds" | jq -r .Credentials.SecretAccessKey)

export AWS_SESSION_TOKEN=$(echo "$identity_enhanced_creds" | jq -r .Credentials.SessionToken)

Now you can create the snapshot of your QuickSight dashboard outputs. For this you need the dashboard ID and the sheet ID(s) you want to export. You can retrieve this information via the following API commands, too:

aws quicksight list-dashboards --aws-account-id 123456789
From the output extract the id of the dashboard you want to back up.

Then fetch details about this dashboard including the sheet ids:
aws quicksight describe-dashboard --aws-account-id 123456789 --dashboard-id 123

Now you can create the snapshot:

aws quicksight start-dashboard-snapshot-job --cli-input-json file://quicksight-config.json

As you can see I’m using a json file containing the configuration of the snapshot. You can use the following snippet as a starting point and insert your extracted dashboard ID and sheet ID:

{
  "AwsAccountId": "<<aws account id>>",
  "DashboardId": "<<extracted dashboard id>>",
  "SnapshotJobId": "Snapshot1",
  "UserConfiguration":{
        "AnonymousUsers":[{}]
    },
  "SnapshotConfiguration":{
        "FileGroups":[
                {
                    "Files":[
                        {
                            "SheetSelections":[
                                    {
                                        "SheetId":"<<extracted sheet id>>",
                                        "SelectionScope":"ALL_VISUALS"
                                    }
                            ],
                            "FormatType":"PDF"
                        }
                    ]
                }
            ],
        "DestinationConfiguration":{
            "S3Destinations":[
                                {
                                "BucketConfiguration": { "BucketName" : "quicksight-snapshots" , "BucketPrefix" : "prefix123" , "BucketRegion" : "eu-central-1" } 
                                }
                              ]
        },
        "Parameters": {
        }
    }
}

In order to check the current status of the snapshot process while it’s running you can use the following two API commands (the snapshot job id has been set in the config json):

aws quicksight describe-dashboard-snapshot-job --aws-account-id 123456789 --dashboard-id 1234 --snapshot-job-id Snapshot1

aws quicksight describe-dashboard-snapshot-job-result --aws-account-id 123456789 --dashboard-id 1234 --snapshot-job-id Snapshot1

The instructions are based on https://docs.aws.amazon.com/quicksight/latest/APIReference/API_StartDashboardSnapshotJob.html.

Leave a Reply

Your email address will not be published. Required fields are marked *