generateEmbedUrlForAnonymousUser method

Future<GenerateEmbedUrlForAnonymousUserResponse> generateEmbedUrlForAnonymousUser({
  1. required List<String> authorizedResourceArns,
  2. required String awsAccountId,
  3. required AnonymousUserEmbeddingExperienceConfiguration experienceConfiguration,
  4. required String namespace,
  5. List<String>? allowedDomains,
  6. int? sessionLifetimeInMinutes,
  7. List<SessionTag>? sessionTags,
})

Generates an embed URL that you can use to embed an Amazon Quick dashboard or visual in your website, without having to register any reader users. Before you use this action, make sure that you have configured the dashboards and permissions.

The following rules apply to the generated URL:

  • It contains a temporary bearer token. It is valid for 5 minutes after it is generated. Once redeemed within this period, it cannot be re-used again.
  • The URL validity period should not be confused with the actual session lifetime that can be customized using the SessionLifetimeInMinutes parameter. The resulting user session is valid for 15 minutes (minimum) to 10 hours (maximum). The default session duration is 10 hours.
  • You are charged only when the URL is used or there is interaction with Amazon Quick.
For more information, see Embedded Analytics in the Amazon Quick User Guide.

For more information about the high-level steps for embedding and for an interactive demo of the ways you can customize embedding, visit the Amazon Quick Developer Portal.

May throw AccessDeniedException. May throw InternalFailureException. May throw InvalidParameterValueException. May throw ResourceNotFoundException. May throw SessionLifetimeInMinutesInvalidException. May throw ThrottlingException. May throw UnsupportedPricingPlanException. May throw UnsupportedUserEditionException.

Parameter authorizedResourceArns : The Amazon Resource Names (ARNs) for the Quick Sight resources that the user is authorized to access during the lifetime of the session.

If you choose Dashboard embedding experience, pass the list of dashboard ARNs in the account that you want the user to be able to view.

If you want to make changes to the theme of your embedded content, pass a list of theme ARNs that the anonymous users need access to.

Currently, you can pass up to 25 theme ARNs in each API call.

Parameter awsAccountId : The ID for the Amazon Web Services account that contains the dashboard that you're embedding.

Parameter experienceConfiguration : The configuration of the experience that you are embedding.

Parameter namespace : The Amazon Quick Sight namespace that the anonymous user virtually belongs to. If you are not using an Amazon Quick custom namespace, set this to default.

Parameter allowedDomains : The domains that you want to add to the allow list for access to the generated URL that is then embedded. This optional parameter overrides the static domains that are configured in the Manage Quick Sight menu in the Amazon Quick Sight console. Instead, it allows only the domains that you include in this parameter. You can list up to three domains or subdomains in each API call.

To include all subdomains under a specific domain to the allow list, use . For example, https://.sapp.amazon.com includes all subdomains under https://sapp.amazon.com.

Parameter sessionLifetimeInMinutes : How many minutes the session is valid. The session lifetime must be in [15-600] minutes range.

Parameter sessionTags : Session tags are user-specified strings that identify a session in your application. You can use these tags to implement row-level security (RLS) controls. Before you use the SessionTags parameter, make sure that you have configured the relevant datasets using the DataSet$RowLevelPermissionTagConfiguration parameter so that session tags can be used to provide row-level security.

When using SessionTags in GenerateEmbedUrlForAnonymousUser,

  • Treat SessionTags as security credentials. Do not expose SessionTags to end users or client-side code.
  • Implement server-side controls. Ensure that SessionTags are set exclusively by your trusted backend services, not by parameters that end users can modify.
  • Protect SessionTags from enumeration. Ensure that users in one tenant cannot discover or guess sessionTag values belonging to other tenants.
  • Review your architecture. If downstream customers or partners are allowed to call the GenerateEmbedUrlForAnonymousUser API directly, evaluate whether those parties could specify sessionTag values for tenants they should not access.
Besides, these are not the tags used for the Amazon Web Services resource tagging feature. For more information, see Using Row-Level Security (RLS) with Tags in the Amazon Quick User Guide.

Implementation

Future<GenerateEmbedUrlForAnonymousUserResponse>
    generateEmbedUrlForAnonymousUser({
  required List<String> authorizedResourceArns,
  required String awsAccountId,
  required AnonymousUserEmbeddingExperienceConfiguration
      experienceConfiguration,
  required String namespace,
  List<String>? allowedDomains,
  int? sessionLifetimeInMinutes,
  List<SessionTag>? sessionTags,
}) async {
  _s.validateNumRange(
    'sessionLifetimeInMinutes',
    sessionLifetimeInMinutes,
    15,
    600,
  );
  final $payload = <String, dynamic>{
    'AuthorizedResourceArns': authorizedResourceArns,
    'ExperienceConfiguration': experienceConfiguration,
    'Namespace': namespace,
    if (allowedDomains != null) 'AllowedDomains': allowedDomains,
    if (sessionLifetimeInMinutes != null)
      'SessionLifetimeInMinutes': sessionLifetimeInMinutes,
    if (sessionTags != null) 'SessionTags': sessionTags,
  };
  final response = await _protocol.send(
    payload: $payload,
    method: 'POST',
    requestUri:
        '/accounts/${Uri.encodeComponent(awsAccountId)}/embed-url/anonymous-user',
    exceptionFnMap: _exceptionFns,
  );
  return GenerateEmbedUrlForAnonymousUserResponse.fromJson(response);
}