Tag: iam

How to create QuickSight snapshots as a federated IAM User

The issue

Creating programmatic snapshots of AWS QuickSight dashboard outputs as PDF/Excel/CSV files was more complex than I have expected. You have to use the start-dashboard-snapshot-job API command for creating snapshots. But before I can execute this API call I needed to obtain identity-enhanced IAM role session credentials from AWS STS (AWS Security Token Service). These credentials contain additional information about the end user making the requests towards AWS QuickSight.

In the following section I will explain how to achieve this.

The solution

Identity-enhanced IAM role session credentials are created from usual STS session credentials plus an identity context. When creating such credentials the identity context is used for looking up “the group memberships and attributes of the user in IAM Identity Center” and to “authorize the user’s access to resources” (https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-identity-enhanced-iam-role-sessions.html).

The workflow is as follows (using AWS CLI commands and env variables):

Log in to your AWS Account and export your credentials as environment variables:

export AWS_ACCESS_KEY_ID="AKIAI..."

export AWS_SECRET_ACCESS_KEY="..."

export AWS_DEFAULT_REGION="..."

export AWS_SESSION_TOKEN="..."

Now get the identity context for your user (identified via email address) from AWS QuickSight (adjust namespace if necessary):

context=$(aws quicksight get-identity-context --aws-account-id 123456789 --user-identifier "{ \"Email\": \"abc.def@example.com\"}" --namespace default | jq -r .Context)

Now call the CLI command assume-role with the retrieved identity context. But be aware: the trust relationship of this role must allow the “sts:setContext” action (besides “sts:AssumeRole”)!

identity_enhanced_creds=$(aws sts assume-role --role-arn arn:aws:iam:123456789:role/quicksight-access --role-session-name test123 --provided contexts "[{\"ProviderArn\":\"arn:aws:iam:aws:contextProvider/QuickSight\",\"ContextAssertion\":\"$context\"}]")

Now you can set the enhanced session credentials as environment variables, e.g:

export AWS_ACCESS_KEY_ID=$(echo "$identity_enhanced_creds" | jq -r .Credentials.AccessKeyId)

export AWS_SECRET_ACCESS_KEY=$(echo "$identity_enhanced_creds" | jq -r .Credentials.SecretAccessKey)

export AWS_SESSION_TOKEN=$(echo "$identity_enhanced_creds" | jq -r .Credentials.SessionToken)

Now you can create the snapshot of your QuickSight dashboard outputs. For this you need the dashboard ID and the sheet ID(s) you want to export. You can retrieve this information via the following API commands, too:

aws quicksight list-dashboards --aws-account-id 123456789
From the output extract the id of the dashboard you want to back up.

Then fetch details about this dashboard including the sheet ids:
aws quicksight describe-dashboard --aws-account-id 123456789 --dashboard-id 123

Now you can create the snapshot:

aws quicksight start-dashboard-snapshot-job --cli-input-json file://quicksight-config.json

As you can see I’m using a json file containing the configuration of the snapshot. You can use the following snippet as a starting point and insert your extracted dashboard ID and sheet ID:

{
  "AwsAccountId": "<<aws account id>>",
  "DashboardId": "<<extracted dashboard id>>",
  "SnapshotJobId": "Snapshot1",
  "UserConfiguration":{
        "AnonymousUsers":[{}]
    },
  "SnapshotConfiguration":{
        "FileGroups":[
                {
                    "Files":[
                        {
                            "SheetSelections":[
                                    {
                                        "SheetId":"<<extracted sheet id>>",
                                        "SelectionScope":"ALL_VISUALS"
                                    }
                            ],
                            "FormatType":"PDF"
                        }
                    ]
                }
            ],
        "DestinationConfiguration":{
            "S3Destinations":[
                                {
                                "BucketConfiguration": { "BucketName" : "quicksight-snapshots" , "BucketPrefix" : "prefix123" , "BucketRegion" : "eu-central-1" } 
                                }
                              ]
        },
        "Parameters": {
        }
    }
}

In order to check the current status of the snapshot process while it’s running you can use the following two API commands (the snapshot job id has been set in the config json):

aws quicksight describe-dashboard-snapshot-job --aws-account-id 123456789 --dashboard-id 1234 --snapshot-job-id Snapshot1

aws quicksight describe-dashboard-snapshot-job-result --aws-account-id 123456789 --dashboard-id 1234 --snapshot-job-id Snapshot1

The instructions are based on https://docs.aws.amazon.com/quicksight/latest/APIReference/API_StartDashboardSnapshotJob.html.

List of AWS Services supported by IAM

This post is different than my usual ones as I’m not writing a solutions guide. Basically I was looking for a complete list (JSON, XML, …) of all AWS Services which I can use in IAM policies. Unfortunately I didn’t find anything. So I coded a small tool which does this for me. I want to share the final JSON file in case somebody needs it, too. There are situations where you would need such a list in case you create IAM policies with many explicit DENY or ALLOW sections.

The JSON is a list of items. Each item is a list of items by itself. The first attribute is the name of the AWS Service and the second attribute is the service prefix you would use when writing IAM policies referencing this AWS Service.

And now that’s the list in JSON format:

[
  [
    "AWS Accounts",
    "account"
  ],
  [
    "Alexa for Business",
    "a4b"
  ],
  [
    "AWS Amplify",
    "amplify"
  ],
  [
    "Amazon API Gateway",
    "execute-api"
  ],
  [
    "AWS App Mesh",
    "appmesh"
  ],
  [
    "AWS App Mesh Preview",
    "appmesh-preview"
  ],
  [
    "AWS AppConfig",
    "appconfig"
  ],
  [
    "Amazon AppFlow",
    "appflow"
  ],
  [
    "Application Auto Scaling",
    "application-autoscaling"
  ],
  [
    "Application Discovery",
    "discovery"
  ],
  [
    "Application Discovery Arsenal",
    "arsenal"
  ],
  [
    "Amazon AppStream 2.0",
    "appstream"
  ],
  [
    "AWS AppSync",
    "appsync"
  ],
  [
    "AWS Artifact",
    "artifact"
  ],
  [
    "Amazon Athena",
    "athena"
  ],
  [
    "AWS Auto Scaling",
    "autoscaling-plans"
  ],
  [
    "AWS Backup",
    "backup"
  ],
  [
    "AWS Backup storage",
    "backup-storage"
  ],
  [
    "AWS Batch",
    "batch"
  ],
  [
    "AWS Billing",
    "aws-portal"
  ],
  [
    "AWS Budget Service",
    "budgets"
  ],
  [
    "AWS Certificate Manager",
    "acm"
  ],
  [
    "AWS Certificate Manager Private Certificate Authority",
    "acm-pca"
  ],
  [
    "AWS Chatbot",
    "chatbot"
  ],
  [
    "Amazon Chime",
    "chime"
  ],
  [
    "Amazon Cloud Directory",
    "clouddirectory"
  ],
  [
    "AWS Cloud Map",
    "servicediscovery"
  ],
  [
    "AWS Cloud9",
    "cloud9"
  ],
  [
    "AWS CloudFormation",
    "cloudformation"
  ],
  [
    "Amazon CloudFront",
    "cloudfront"
  ],
  [
    "AWS CloudHSM",
    "cloudhsm"
  ],
  [
    "Amazon CloudSearch",
    "cloudsearch"
  ],
  [
    "AWS CloudTrail",
    "cloudtrail"
  ],
  [
    "Amazon CloudWatch",
    "cloudwatch"
  ],
  [
    "CloudWatch Application Insights",
    "applicationinsights"
  ],
  [
    "Amazon CloudWatch Logs",
    "logs"
  ],
  [
    "Amazon CloudWatch Synthetics",
    "synthetics"
  ],
  [
    "AWS Code Signing for Amazon FreeRTOS",
    "signer"
  ],
  [
    "AWS CodeArtifact",
    "codeartifact"
  ],
  [
    "AWS CodeBuild",
    "codebuild"
  ],
  [
    "AWS CodeCommit",
    "codecommit"
  ],
  [
    "AWS CodeDeploy",
    "codedeploy"
  ],
  [
    "Amazon CodeGuru",
    "codeguru"
  ],
  [
    "Amazon CodeGuru Profiler",
    "codeguru-profiler"
  ],
  [
    "Amazon CodeGuru Reviewer",
    "codeguru-reviewer"
  ],
  [
    "AWS CodePipeline",
    "codepipeline"
  ],
  [
    "AWS CodeStar",
    "codestar"
  ],
  [
    "AWS CodeStar Connections",
    "codestar-connections"
  ],
  [
    "AWS CodeStar Notifications",
    "codestar-notifications"
  ],
  [
    "Amazon Cognito Identity",
    "cognito-identity"
  ],
  [
    "Amazon Cognito Sync",
    "cognito-sync"
  ],
  [
    "Amazon Cognito User Pools",
    "cognito-idp"
  ],
  [
    "Amazon Comprehend",
    "comprehend"
  ],
  [
    "Comprehend Medical",
    "comprehendmedical"
  ],
  [
    "Compute Optimizer",
    "compute-optimizer"
  ],
  [
    "AWS Config",
    "config"
  ],
  [
    "Amazon Connect",
    "connect"
  ],
  [
    "AWS Connector Service",
    "awsconnector"
  ],
  [
    "AWS Cost and Usage Report",
    "cur"
  ],
  [
    "AWS Cost Explorer Service",
    "ce"
  ],
  [
    "AWS Data Exchange",
    "dataexchange"
  ],
  [
    "Amazon Data Lifecycle Manager",
    "dlm"
  ],
  [
    "Data Pipeline",
    "datapipeline"
  ],
  [
    "AWS Database Migration Service",
    "dms"
  ],
  [
    "Database Query Metadata Service",
    "dbqms"
  ],
  [
    "DataSync",
    "datasync"
  ],
  [
    "AWS DeepComposer",
    "deepcomposer"
  ],
  [
    "AWS DeepLens",
    "deeplens"
  ],
  [
    "AWS DeepRacer",
    "deepracer"
  ],
  [
    "Amazon Detective",
    "detective"
  ],
  [
    "AWS Device Farm",
    "devicefarm"
  ],
  [
    "AWS Direct Connect",
    "directconnect"
  ],
  [
    "AWS Directory Service",
    "ds"
  ],
  [
    "Amazon DynamoDB",
    "dynamodb"
  ],
  [
    "Amazon DynamoDB Accelerator (DAX)",
    "dax"
  ],
  [
    "Amazon EC2",
    "ec2"
  ],
  [
    "Amazon EC2 Auto Scaling",
    "autoscaling"
  ],
  [
    "Amazon EC2 Image Builder",
    "imagebuilder"
  ],
  [
    "Amazon EC2 Instance Connect",
    "ec2-instance-connect"
  ],
  [
    "AWS Elastic Beanstalk",
    "elasticbeanstalk"
  ],
  [
    "Amazon Elastic Block Store",
    "ebs"
  ],
  [
    "Amazon Elastic Container Registry",
    "ecr"
  ],
  [
    "Amazon Elastic Container Service",
    "ecs"
  ],
  [
    "Amazon Elastic Container Service for Kubernetes",
    "eks"
  ],
  [
    "Amazon Elastic File System",
    "elasticfilesystem"
  ],
  [
    "Amazon Elastic Inference",
    "elastic-inference"
  ],
  [
    "Elastic Load Balancing",
    "elasticloadbalancing"
  ],
  [
    "Elastic Load Balancing V2",
    "elasticloadbalancing"
  ],
  [
    "Amazon Elastic MapReduce",
    "elasticmapreduce"
  ],
  [
    "Amazon Elastic Transcoder",
    "elastictranscoder"
  ],
  [
    "Amazon ElastiCache",
    "elasticache"
  ],
  [
    "Amazon Elasticsearch Service",
    "es"
  ],
  [
    "AWS Elemental Appliances and Software",
    "elemental-appliances-software"
  ],
  [
    "AWS Elemental MediaConnect",
    "mediaconnect"
  ],
  [
    "AWS Elemental MediaConvert",
    "mediaconvert"
  ],
  [
    "AWS Elemental MediaLive",
    "medialive"
  ],
  [
    "AWS Elemental MediaPackage",
    "mediapackage"
  ],
  [
    "AWS Elemental MediaPackage VOD",
    "mediapackage-vod"
  ],
  [
    "AWS Elemental MediaStore",
    "mediastore"
  ],
  [
    "AWS Elemental MediaTailor",
    "mediatailor"
  ],
  [
    "Amazon EventBridge",
    "events"
  ],
  [
    "Amazon EventBridge Schemas",
    "schemas"
  ],
  [
    "AWS Firewall Manager",
    "fms"
  ],
  [
    "Amazon Forecast",
    "forecast"
  ],
  [
    "Amazon Fraud Detector",
    "frauddetector"
  ],
  [
    "Amazon FreeRTOS",
    "freertos"
  ],
  [
    "Amazon FSx",
    "fsx"
  ],
  [
    "Amazon GameLift",
    "gamelift"
  ],
  [
    "Amazon Glacier",
    "glacier"
  ],
  [
    "AWS Global Accelerator",
    "globalaccelerator"
  ],
  [
    "AWS Glue",
    "glue"
  ],
  [
    "AWS Ground Station",
    "groundstation"
  ],
  [
    "Amazon GroundTruth Labeling",
    "groundtruthlabeling"
  ],
  [
    "Amazon GuardDuty",
    "guardduty"
  ],
  [
    "AWS Health APIs and Notifications",
    "health"
  ],
  [
    "Amazon Honeycode",
    "honeycode"
  ],
  [
    "IAM Access Analyzer",
    "access-analyzer"
  ],
  [
    "Identity And Access Management",
    "iam"
  ],
  [
    "AWS Import Export Disk Service",
    "importexport"
  ],
  [
    "Amazon Inspector",
    "inspector"
  ],
  [
    "Amazon Interactive Video Service",
    "ivs"
  ],
  [
    "AWS IoT",
    "iot"
  ],
  [
    "AWS IoT 1-Click",
    "iot1click"
  ],
  [
    "AWS IoT Analytics",
    "iotanalytics"
  ],
  [
    "AWS IoT Device Tester",
    "iot-device-tester"
  ],
  [
    "AWS IoT Events",
    "iotevents"
  ],
  [
    "AWS IoT Greengrass",
    "greengrass"
  ],
  [
    "AWS IoT SiteWise",
    "iotsitewise"
  ],
  [
    "AWS IoT Things Graph",
    "iotthingsgraph"
  ],
  [
    "AWS IQ",
    "iq"
  ],
  [
    "AWS IQ Permissions",
    "iq-permission"
  ],
  [
    "Amazon Kendra",
    "kendra"
  ],
  [
    "AWS Key Management Service",
    "kms"
  ],
  [
    "Amazon Keyspaces (for Apache Cassandra)",
    "cassandra"
  ],
  [
    "Amazon Kinesis",
    "kinesis"
  ],
  [
    "Amazon Kinesis Analytics",
    "kinesisanalytics"
  ],
  [
    "Amazon Kinesis Analytics V2",
    "kinesisanalytics"
  ],
  [
    "Amazon Kinesis Firehose",
    "firehose"
  ],
  [
    "Amazon Kinesis Video Streams",
    "kinesisvideo"
  ],
  [
    "AWS Lake Formation",
    "lakeformation"
  ],
  [
    "AWS Lambda",
    "lambda"
  ],
  [
    "Launch Wizard",
    "launchwizard"
  ],
  [
    "Amazon Lex",
    "lex"
  ],
  [
    "AWS License Manager",
    "license-manager"
  ],
  [
    "Amazon Lightsail",
    "lightsail"
  ],
  [
    "Amazon Machine Learning",
    "machinelearning"
  ],
  [
    "Amazon Macie",
    "macie2"
  ],
  [
    "Amazon Macie Classic",
    "macie"
  ],
  [
    "Manage Amazon API Gateway",
    "apigateway"
  ],
  [
    "Amazon Managed Blockchain",
    "managedblockchain"
  ],
  [
    "Amazon Managed Streaming for Apache Kafka",
    "kafka"
  ],
  [
    "AWS Marketplace",
    "aws-marketplace"
  ],
  [
    "AWS Marketplace Catalog",
    "aws-marketplace"
  ],
  [
    "AWS Marketplace Entitlement Service",
    "aws-marketplace"
  ],
  [
    "AWS Marketplace Image Building Service",
    "aws-marketplace"
  ],
  [
    "AWS Marketplace Management Portal",
    "aws-marketplace-management"
  ],
  [
    "AWS Marketplace Metering Service",
    "aws-marketplace"
  ],
  [
    "AWS Marketplace Procurement Systems Integration",
    "aws-marketplace"
  ],
  [
    "Amazon Mechanical Turk",
    "mechanicalturk"
  ],
  [
    "Amazon Message Delivery Service",
    "ec2messages"
  ],
  [
    "AWS Migration Hub",
    "mgh"
  ],
  [
    "Amazon Mobile Analytics",
    "mobileanalytics"
  ],
  [
    "AWS Mobile Hub",
    "mobilehub"
  ],
  [
    "Amazon MQ",
    "mq"
  ],
  [
    "Amazon Neptune",
    "neptune-db"
  ],
  [
    "Network Manager",
    "networkmanager"
  ],
  [
    "AWS OpsWorks",
    "opsworks"
  ],
  [
    "AWS OpsWorks Configuration Management",
    "opsworks-cm"
  ],
  [
    "AWS Organizations",
    "organizations"
  ],
  [
    "AWS Outposts",
    "outposts"
  ],
  [
    "AWS Performance Insights",
    "pi"
  ],
  [
    "Amazon Personalize",
    "personalize"
  ],
  [
    "Amazon Pinpoint",
    "mobiletargeting"
  ],
  [
    "Amazon Pinpoint Email Service",
    "ses"
  ],
  [
    "Amazon Pinpoint SMS and Voice Service",
    "sms-voice"
  ],
  [
    "Amazon Polly",
    "polly"
  ],
  [
    "AWS Price List",
    "pricing"
  ],
  [
    "AWS Private Marketplace",
    "aws-marketplace"
  ],
  [
    "AWS Purchase Orders Console",
    "purchase-orders"
  ],
  [
    "Amazon QLDB",
    "qldb"
  ],
  [
    "Amazon QuickSight",
    "quicksight"
  ],
  [
    "Amazon RDS",
    "rds"
  ],
  [
    "Amazon RDS Data API",
    "rds-data"
  ],
  [
    "Amazon RDS IAM Authentication",
    "rds-db"
  ],
  [
    "Amazon Redshift",
    "redshift"
  ],
  [
    "Amazon Rekognition",
    "rekognition"
  ],
  [
    "AWS Resource Access Manager",
    "ram"
  ],
  [
    "Amazon Resource Group Tagging API",
    "tag"
  ],
  [
    "AWS Resource Groups",
    "resource-groups"
  ],
  [
    "AWS RoboMaker",
    "robomaker"
  ],
  [
    "Amazon Route 53",
    "route53"
  ],
  [
    "Amazon Route 53 Resolver",
    "route53resolver"
  ],
  [
    "Amazon Route53 Domains",
    "route53domains"
  ],
  [
    "Amazon S3",
    "s3"
  ],
  [
    "Amazon SageMaker",
    "sagemaker"
  ],
  [
    "AWS Savings Plans",
    "savingsplans"
  ],
  [
    "AWS Secrets Manager",
    "secretsmanager"
  ],
  [
    "AWS Security Hub",
    "securityhub"
  ],
  [
    "AWS Security Token Service",
    "sts"
  ],
  [
    "AWS Server Migration Service",
    "sms"
  ],
  [
    "AWS Serverless Application Repository",
    "serverlessrepo"
  ],
  [
    "AWS Service Catalog",
    "servicecatalog"
  ],
  [
    "Service Quotas",
    "servicequotas"
  ],
  [
    "Amazon SES",
    "ses"
  ],
  [
    "Amazon Session Manager Message Gateway Service",
    "ssmmessages"
  ],
  [
    "AWS Shield",
    "shield"
  ],
  [
    "Amazon Simple Workflow Service",
    "swf"
  ],
  [
    "Amazon SimpleDB",
    "sdb"
  ],
  [
    "AWS Snowball",
    "snowball"
  ],
  [
    "Amazon SNS",
    "sns"
  ],
  [
    "Amazon SQS",
    "sqs"
  ],
  [
    "AWS SSO",
    "sso"
  ],
  [
    "AWS SSO Directory",
    "sso-directory"
  ],
  [
    "AWS Step Functions",
    "states"
  ],
  [
    "Amazon Storage Gateway",
    "storagegateway"
  ],
  [
    "Amazon Sumerian",
    "sumerian"
  ],
  [
    "AWS Support",
    "support"
  ],
  [
    "AWS Systems Manager",
    "ssm"
  ],
  [
    "AWS Tag Editor",
    "resource-explorer"
  ],
  [
    "Amazon Textract",
    "textract"
  ],
  [
    "Amazon Transcribe",
    "transcribe"
  ],
  [
    "AWS Transfer for SFTP",
    "transfer"
  ],
  [
    "Amazon Translate",
    "translate"
  ],
  [
    "AWS Trusted Advisor",
    "trustedadvisor"
  ],
  [
    "AWS WAF",
    "waf"
  ],
  [
    "AWS WAF Regional",
    "waf-regional"
  ],
  [
    "AWS WAF V2",
    "wafv2"
  ],
  [
    "AWS Well-Architected Tool",
    "wellarchitected"
  ],
  [
    "Amazon WorkDocs",
    "workdocs"
  ],
  [
    "Amazon WorkLink",
    "worklink"
  ],
  [
    "Amazon WorkMail",
    "workmail"
  ],
  [
    "Amazon WorkMail Message Flow",
    "workmailmessageflow"
  ],
  [
    "Amazon WorkSpaces",
    "workspaces"
  ],
  [
    "Amazon WorkSpaces Application Manager",
    "wam"
  ],
  [
    "AWS X-Ray",
    "xray"
  ]
]