Aws Quicksight 简明教程

AWS Quicksight - Embedding Dashboard

您还可以将 Quicksight 仪表板嵌入到外部应用程序/网页中,或使用 AWS Cognito 服务来控制用户访问。要执行用户控制,您可以在 Cognito 中创建用户池和身份池,并将嵌入仪表板策略分配给身份池。

You can also embed your Quicksight dashboards into external applications/web pages or can control user access using AWS Cognito service. To perform user control, you can create user pool and identity pool in Cognito and assign Embed dashboard policies to identity pool.

AWS Cognito 是一项 IAM 服务,允许管理员创建和管理临时用户以提供对应用程序的访问权限。通过使用身份池,您可以管理这些用户池上的权限。

AWS Cognito is an IAM service which allows administrators to create and manage temporary users to provide access to applications. With the use of identity pool, you can manage permissions on these user pools.

让我们看看如何生成安全的仪表板 URL 并执行用户控件 −

Let us see how we can generate secure dashboard URL and perform user control −

Step 1 - Creating user pools and users

在 AWS Cognito 中创建用户池并创建用户。转到 Amazon Cognito → Manage User Pools → Create a User Pool

Create user pool in AWS Cognito and create users. Go to Amazon Cognito → Manage User Pools → Create a User Pool.

amazon cognito

Step 2 - Creating an identity pool

当用户池创建完成后,下一步是创建一个身份池。转到 https://console.aws.amazon.com/cognito/home?region=us-east-1

When user pool is created, next step is to create an identity pool. Go to https://console.aws.amazon.com/cognito/home?region=us-east-1

单击“创建新身份池”。

Click on “Create New Identity Pool”.

identity pool

输入身份池的相应名称。转到身份验证提供程序部分并选择“Cognito”选项。

Enter the appropriate name of an identity pool. Go to the Authentication Providers section and select “Cognito” option.

create pool

Step 3 - Creating Cognito roles

输入用户池 ID(您的用户池 ID)和应用程序客户端 ID(转到用户池中的应用程序客户端并复制 ID)。

Enter the User Pool ID (your User pool ID) and App Client ID (go to App Clients in user pool and copy id).

接下来是单击“创建池”并单击“允许”以在 IAM 中创建身份池的角色。它将创建 2 个 Cognito 角色。

Next is to click on ‘Create Pool’ and click on ‘Allow’ to create roles of the identity pool in IAM. It will create 2 Cognito roles.

Step 4 - Assigning Custom Policy

下一步是在上述步骤中为创建的身份角色分配自定义策略 −

Next step is to assign custom policy to identity roles created in the above step −

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Action": "quicksight:RegisterUser",
         "Resource": "*",
         "Effect": "Allow"
      },
      {
         "Action": "quicksight:GetDashboardEmbedUrl",
         "Resource": "*",
         "Effect": "Allow"
      },
      {
         "Action": "sts:AssumeRole",
         "Resource": "*",
         "Effect": "Allow"
      }
   ]
}
policies

您可以将仪表板 Amazon 资源名称 (ARN) 传递给 quicksight:GetDashboardEmbedUrl”,而不是 “*” 以限制用户仅访问一个仪表板。

You can pass dashboard Amazon Resource Name (ARN) under quicksight:GetDashboardEmbedUrl” instead of “*” to restrict user to access only one dashboard.

Step 5 - Logging into Cognito application

下一步是使用用户池中的用户凭证登录到 Cognito 应用程序。当用户登录应用程序时,Cognito 会生成 3 个令牌 −

Next step is to login to Cognito application with user credentials in user pool. When user logins into application, Cognito generates 3 tokens −

  1. IDToken

  2. AccessToken

  3. Refresh Token

要创建临时 IAM 用户,凭证如下所示 −

To create a temporary IAM user, credentials are as shown below −

AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
   IdentityPoolId:"Identity pool ID", Logins: {
      'cognito-idp.us-east-1.amazonaws.com/UserPoolID': AccessToken
   }
});

要生成临时 IAM 凭证,您需要使用以下参数调用 sts.assume 角色方法 −

For generating temporary IAM credentials, you need to call sts.assume role method with the below parameters −

var params = {
   RoleArn: "Cognito Identity role arn", RoleSessionName: "Session name"
};
sts.assumeRole(params, function (err, data) {
   if (err) console.log( err, err.stack);
   // an error occurred
   else {
      console.log(data);
   })
}

Step 6 - Registering the user in Quicksight

下一步是使用通过以下参数生成的凭证通过 “quicksight.registerUser” 将用户注册到 Quicksight 中 −

Next step is to register the user in Quicksight using “quicksight.registerUser” for credentials generated in step 3 with the below parameters −

var params = {
   AwsAccountId: “account id”,
   Email: 'email',
   IdentityType: 'IAM' ,
   Namespace: 'default',
   UserRole: ADMIN | AUTHOR | READER | RESTRICTED_AUTHOR | RESTRICTED_READER,
   IamArn: 'Cognito Identity role arn',
   SessionName: 'session name given in the assume role creation',
};
quicksight.registerUser(params, function (err, data1) {
   if (err) console.log("err register user”);
   // an error occurred
   else {
      // console.log("Register User1”);
   }
})

Step 7 - Updating AWS Configuration file

接下来是更新步骤 5 中生成的用户在 AWS 中的配置。

Next is to update AWS configuration for user generated in step 5.

AWS.config.update({
   accessKeyId: AccessToken,
   secretAccessKey: SecretAccessKey ,
   sessionToken: SessionToken,
   "region": Region
});

Step 8 - Generating embed URL for Quicksight dashboard

使用步骤 5 中创建的凭证,调用带有以下参数的 quicksight.getDashboardEmbedUrl 来生成 URL。

With credentials created in step 5, call the quicksight.getDashboardEmbedUrl with the below parameters to generate URL.

var params = {
   AwsAccountId: "Enter AWS account ID",
   DashboardId: "Enter dashboard Id",
   IdentityType: "IAM",
   ResetDisabled: true,
   SessionLifetimeInMinutes: between 15 to 600 minutes,
   UndoRedoDisabled: True | False
}
quicksight.getDashboardEmbedUrl(params,function (err, data) {
   if (!err) {
      console.log(data);
   } else {
      console.log(err);
   }
});

您必须使用上述生成的 URL 从您的应用程序调用 “QuickSightEmbedding.embedDashboard”。

You have to call “QuickSightEmbedding.embedDashboard” from your application using the above generated URL.

与 Amazon Quicksight 一样,嵌入式仪表板还支持以下功能 −

Like Amazon Quicksight, embedded dashboard also supports the following features −

  1. Drill-down option

  2. Custom actions (link to a new tab)

  3. On-screen filters

  4. Download to CSV

  5. Sorting on visuals

  6. Email report opt-in

  7. Reset dashboard to defaults option

  8. Undo/redo actions on the dashboard