search

data-dot-all / dataall

A modern data marketplace that makes collaboration among diverse users (like business, analysts and engineers) easier, increasing efficiency and agility in data projects on AWS.
https://data-dot-all.github.io/dataall/
Apache License 2.0
226 stars 82 forks source link

Switch Quicksight user management to use IAM identity center instead of Quicksight users #1408

Open pziss opened 1 month ago

pziss commented 1 month ago

Describe the bug

Problem Overview

After switching the QuickSight authentication method from IAM federated identities and QuickSight-managed users to QuickSight using Identity Center, I have encountered an issue with sharing dashboards between different QuickSight accounts. Data.all users who are part of the same team can automatically view a dashboard once it has been imported. However, when data.all users request access to a dashboard created by another team via a share request, they receive the below error message. This functionality works as expected with QuickSight accounts using IAM federated identities and QuickSight-managed users.

“An error occurred (AccessDeniedException) when calling the CreateGroup operation: Operation is disabled for identities managed by IAM Identity Center”

Image

When testing this functionality with QuickSight accounts using IAM federated identities and QuickSight-managed users, I observed that data.all creates a group called dataall in the QuickSight account where the dashboard was created. This group includes the email address of the dashboard owner and all other users assigned to that QuickSight account. Additionally, data.all creates a team-specific group named after the requesting team and adds the email address of the data.all account that submitted the share request. This team-specific group is granted Viewer permissions for the requested dashboard.

Image (1) 348000030-69deee4d-6906-477b-9df8-aea18fbbd003 348000491-6461ec9a-54b1-4128-93f7-4045cf2c73cb

The error message would indicate that data.all is attempting to create the dataall group and/or a group named after the requesting team to facilitate cross-account dashboard sharing. However, this process is failing because users and groups are managed by Identity Center rather than QuickSight. In my case, I am using an external IdP, so user management is technically handled by Okta.

Attempted Workaround

I have attempted to manually create the dataall group and a group named after the requesting team in Okta/Identity Center. These groups were then mapped to the QuickSight account where the dashboard was created, with the Reader role. I then assigned Viewer permissions to the team-specific group for the requested dashboard, as would normally be configured automatically by data.all. However, I am now encountering the below error message.

“An error occurred (AccessDeniedException) when calling the RegisterUser operation: Operation is disabled for identities managed by IAM Identity Center”

Image

The error message would indicate that while data.all has now identified these groups, it is still trying to register users to them.

How to Reproduce

Pre-work (for each QuickSight account)

  1. Close the out-of-the-box QuickSight account that was setup by data.all.
  2. Enable IAM Identity Center in the linked AWS environment.
  3. Configure Okta as an External Identity Provider for IAM Identity Center.
  4. Create a group for QuickSight Authors and QuickSight Admins in Okta/Identity Center.
  5. Subscribe for a new QuickSight account with Identity Center authentication. Note: Enter the same name used for the previous QuickSight account. Note: Map the QuickSight admin and author roles to the groups created within Okta/Identity Center.

How to Reproduce

  1. Login to data.all as a user from 'TEAM-A' who will create a dashboard.
  2. Create a dashboard in QuickSight and note the dashboard ID.
  3. Import the dashboard into data.all using the dashboard ID.
  4. Login to data.all as a user from TEAM-B who will request access to the dashboard. Note: This user belongs to a team that is mapped to a different environment, giving them access to a different QuickSight account (also using Identity Center authentication).
  5. Search for the dashboard in the data.all catalog.
  6. Request access to the dashboard.
  7. Login to data.all as the user who created the dashboard.
  8. Approve the dashboard share request.
  9. Login to data.all as the user who requested access to the dashboard.
  10. Select the dashboard to view it.

Expected behavior

No response

Your project

No response

Screenshots

No response

OS

n/a

Python version

n/a

AWS data.all version

1.5.6

Additional context

No response

dlpzx commented 1 month ago

Hi @pziss, thanks for opening an issue with so much detail and discovery. Your experimentation is much appreciated and will help us in any future designs (it's great to see that only the sharing dashboards presents issues:) ). At the moment we are in the exploration phase on IAM Identity Center and data.all and features are not yet part of our roadmap. We'll keep this issue open and will reach out when we include it in our plan. FYI @petrkalos