Lambda Execution Role

Steps to create a role that will be used for executing our lambda function are given below

  1. Launch IAM, choose Policies from left panel and click Create policy button.
LER
  1. Click JSON tab and paste the policy provided below
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "quicksight:GetDashboardEmbedUrl",
                "quickSight:GetAnonymousUserEmbedUrl"
            ],
            "Resource": [
                "arn:aws:quicksight:*:*:dashboard/<Dashboard1Id>",
                "arn:aws:quicksight:*:*:dashboard/<Dashboard2Id>"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Since we are opening up anonymous access using this policy, be sure to enable this only for specific dashboards and do NOT use * to allow all dashboards. In this sample, I’m showing including just two dashboards in the Resource list. You can include as many as you want.

LER
  1. Replace <Dashboard1Id> and <Dashboard2Id> placeholders.
    Scroll down and click Review policy button.
LER
  1. Name the policy as QSAnonymousEmbedPolicy
    Scroll down and click Create policy button.
LER
  1. Click Roles from left panel and click Create role button.
LER
  1. Select AWS service, Lambda and then click Next: Permissions.
LER
  1. Search for QSAnonymous, select QSAnonymousEmbedPolicy, click Next: Tags button followed by Next: Review button on the next screen.
LER
  1. Name the role as QSAnonymousEmbedRole and click Create role button.
LER