Scale Amazon QuickSight embedded analytics with new API-based domain allow listing

{"value":"[Amazon QuickSight](https://aws.amazon.com/cn/quicksight/) is a fully-managed, cloud-native business intelligence (BI) service that makes it easy to connect to your data, create interactive dashboards, and share these with tens of thousands of users, either within QuickSight itself or embedded in apps and portals.\n\nQuickSight Enterprise Edition recently introduced the ability to dynamically allow list the domains where QuickSight content can be embedded. This allows developers to quickly embed dashboards across multiple apps, portals, or websites, without needing to make this change on the QuickSight administrative console every time. Together with QuickSight’s existing dashboard theming and templating capabilities, this new feature allows developers to rapidly develop and deploy QuickSight dashboards and visualizations for a variety of use cases across various applications with ease. Let’s take a look at how this works.\n\n\n#### **Solution overview**\n\n\nTo embed a QuickSight dashboard using APIs, you can use one of the following embedding APIs:\n\n- [GenerateEmbedUrlForAnonymousUser](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_GenerateEmbedUrlForAnonymousUser.html)\n- [GenerateEmbedUrlForRegisteredUser](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_GenerateEmbedUrlForRegisteredUser.html)\n\nIn these APIs, you can now pass the domain where you want to embed your dashboard using the new parameter\n```AllowedDomains:```\n\n```\n\nPOST /accounts/AwsAccountId/embed-url/registered-user HTTP/1.1\nContent-type: application/json\n \n{\n \"AllowedDomains\": [ \"string\" ],\n \"ExperienceConfiguration\": { \n \"Dashboard\": { \n \"InitialDashboardId\": \"string\"\n },\n \"QSearchBar\": { \n \"InitialTopicId\": \"string\"\n },\n \"QuickSightConsole\": { \n \"InitialPath\": \"string\"\n }\n },\n \"SessionLifetimeInMinutes\": number,\n \"UserArn\": \"string\"\n}\n\n```\n\nYou can add up to three domains in a single API call as an array list. All the domains need to be SSL enabled (using HTTPS protocol). If you want to test out the embedded dashboard on your local machine, you can allow list ```http://localhost``` via the ```AllowedDomains``` parameter. For example, if you want to embed a dashboard in your SaaS application called ```https://myorders.simplelogistics.com```, you set ```AllowedDomains``` to be ```https://myorders.simplelogistics.com``` in the API call. You can also enable sub domains by passing ```*```, for example, ```https://*.myorders.simplelogistics.com```.\n\n```AllowedDomains``` is an optional parameter. If you don’t specify any domains via this parameter, you can still use the domains allow listed via the QuickSight console. But if you specify domains via this parameter, then the embedding URL returned as part of the API call is only embeddable in these domains (even if you have a list of static domains entered on the QuickSight console).\n\nPrior to this capability, the Content-Service-Policy in the request header listed all the domains allow listed in QuickSight console. Now when allow listing the domains using the API, the Content-Service-Policy only shows the domains that are allow listed in the API call.\n\nWith this new capability, ISVs that have different applications for different customers can allow list specific domains at runtime, enabling them to scale easily for different customers and to hundreds of thousands of end-users.\n\nAs an added security, the Amazon Web Services Identity and Access Management (IAM) admin of your QuickSight account can restrict the domains that can be allow listed. This can be done when your IAM admin [sets up permissions](https://docs.aws.amazon.com/quicksight/latest/user/embedded-analytics-dashboards-with-anonymous-users-step-1.html) for your application or server. As part of this step, you can specify the list of domains that can be allow listed via the embedding APIs. For example, let’s assume you want your developers to only allow list the following domains:\n\n- [https://myorders.simplelogistics.com](https://myorders.simplelogistics.com/)\n- [https://cheapelectornics.simplelogistics.com](https://myorders.simplelogistics.com/)\n- [https://myreturns.simplelogistics.com](https://myorders.simplelogistics.com/)\n\nYou can set these domains in the ```quicksight:AllowedEmbeddingDomain``` of the permissions setup. The following code is a sample for the ```GenerateEmbedURLForAnonymousUser``` API:\n\n```\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"quicksight:GenerateEmbedUrlForAnonymousUser\"\n ],\n \"Resource\": \"arn:partition:quicksight:region:accountId:user/namespace/userName\",\n \"Condition\": {\n \"ForAllValues:StringEquals\": {\n \"quicksight:AllowedEmbeddingDomains\": [\n \"https://myorders.simplelogistics.com\",\n \"https://cheapelectornics.simplelogistics.com\",\n \"https://myreturns.simplelogistics.com\"\n ]\n }\n }\n }\n ]\n}\n```\n\n\n#### **Sample use case**\n\n\nIn this example use case, Travel Analytics is a software as a service (SaaS) provider with travel-related solutions for various travel agencies. They have a SaaS application for these agencies to track different metrics on how their business is performing. Because Travel Analytics is scaling their business, they have different sites for different travel agencies. With the newly launched domain allow listing with APIs, they’re able to scale with ease. They allow list the specific domains, depending on the customer, via the API when generating the embedding URL.\n\nThe following code shows their sample GenerateEmbedURLForAnonymousUser API call with the domain added to the request:\n\n\n\nThe returned URL can only be embedded in the domain that was allow listed as part of the preceding request. The following is a screenshot of the embedded dashboard in this domain.\n\n\n\nThe CSP header has only the specific allow listed domain via the API when the dashboard is embedded.\n\n\n\n\n\n#### **Conclusion**\n\nRuntime domain allow listing using embedding APIs enables developers to scale their embedded offerings with QuickSight dashboards, visuals, [QuickSight Q ](https://aws.amazon.com/cn/quicksight/q/)(natural language querying), or authoring experience across different domains for their different customers easily. All of this is done without any infrastructure setup or management, while scaling to millions of users. For more information, refer to [Amazon QuickSight Embedded Analytics](https://aws.amazon.com/cn/quicksight/embedded-analytics/) and [What’s New in the Amazon QuickSight User Guide](https://docs.aws.amazon.com/quicksight/latest/user/doc-history.html).\n\n\n#### **About the authors**\n\n\n\n\n**Vetri Natarajan** is a Specialist Solutions Architect for Amazon QuickSight. Vetri has 15 years of experience implementing enterprise Business Intelligence (BI) solutions and greenfield data products. Vetri specializes in integration of BI solutions with business applications and enable data-driven decisions.\n\n\n\n**Kareem Syed-Mohammed** is a Product Manager at Amazon QuickSight. He focuses on embedded analytics, APIs, and developer experience. Prior to QuickSight he has been with Amazon Web Services Marketplace and Amazon retail as a PM. Kareem started his career as a developer and then PM for call center technologies, Local Expert and Ads for Expedia. He worked as a consultant with McKinsey and Company for a short while.\n\n\n\n\n\n","render":"<p><a href=\"https://aws.amazon.com/cn/quicksight/\" target=\"_blank\">Amazon QuickSight</a> is a fully-managed, cloud-native business intelligence (BI) service that makes it easy to connect to your data, create interactive dashboards, and share these with tens of thousands of users, either within QuickSight itself or embedded in apps and portals.</p>\n<p>QuickSight Enterprise Edition recently introduced the ability to dynamically allow list the domains where QuickSight content can be embedded. This allows developers to quickly embed dashboards across multiple apps, portals, or websites, without needing to make this change on the QuickSight administrative console every time. Together with QuickSight’s existing dashboard theming and templating capabilities, this new feature allows developers to rapidly develop and deploy QuickSight dashboards and visualizations for a variety of use cases across various applications with ease. Let’s take a look at how this works.</p>\n<h4><a id=\"Solution_overview_5\"></a><strong>Solution overview</strong></h4>\n<p>To embed a QuickSight dashboard using APIs, you can use one of the following embedding APIs:</p>\n<ul>\n<li><a href=\"https://docs.aws.amazon.com/quicksight/latest/APIReference/API_GenerateEmbedUrlForAnonymousUser.html\" target=\"_blank\">GenerateEmbedUrlForAnonymousUser</a></li>\n<li><a href=\"https://docs.aws.amazon.com/quicksight/latest/APIReference/API_GenerateEmbedUrlForRegisteredUser.html\" target=\"_blank\">GenerateEmbedUrlForRegisteredUser</a></li>\n</ul>\n<p>In these APIs, you can now pass the domain where you want to embed your dashboard using the new parameter<br />\n<code>AllowedDomains:</code></p>\n<pre><code class=\"lang-\">\nPOST /accounts/AwsAccountId/embed-url/registered-user HTTP/1.1\nContent-type: application/json\n \n{\n &quot;AllowedDomains&quot;: [ &quot;string&quot; ],\n &quot;ExperienceConfiguration&quot;: { \n &quot;Dashboard&quot;: { \n &quot;InitialDashboardId&quot;: &quot;string&quot;\n },\n &quot;QSearchBar&quot;: { \n &quot;InitialTopicId&quot;: &quot;string&quot;\n },\n &quot;QuickSightConsole&quot;: { \n &quot;InitialPath&quot;: &quot;string&quot;\n }\n },\n &quot;SessionLifetimeInMinutes&quot;: number,\n &quot;UserArn&quot;: &quot;string&quot;\n}\n\n</code></pre>\n<p>You can add up to three domains in a single API call as an array list. All the domains need to be SSL enabled (using HTTPS protocol). If you want to test out the embedded dashboard on your local machine, you can allow list <code>http://localhost</code> via the <code>AllowedDomains</code> parameter. For example, if you want to embed a dashboard in your SaaS application called <code>https://myorders.simplelogistics.com</code>, you set <code>AllowedDomains</code> to be <code>https://myorders.simplelogistics.com</code> in the API call. You can also enable sub domains by passing <code>*</code>, for example, <code>https://*.myorders.simplelogistics.com</code>.</p>\n<p><code>AllowedDomains</code> is an optional parameter. If you don’t specify any domains via this parameter, you can still use the domains allow listed via the QuickSight console. But if you specify domains via this parameter, then the embedding URL returned as part of the API call is only embeddable in these domains (even if you have a list of static domains entered on the QuickSight console).</p>\n<p>Prior to this capability, the Content-Service-Policy in the request header listed all the domains allow listed in QuickSight console. Now when allow listing the domains using the API, the Content-Service-Policy only shows the domains that are allow listed in the API call.</p>\n<p>With this new capability, ISVs that have different applications for different customers can allow list specific domains at runtime, enabling them to scale easily for different customers and to hundreds of thousands of end-users.</p>\n<p>As an added security, the Amazon Web Services Identity and Access Management (IAM) admin of your QuickSight account can restrict the domains that can be allow listed. This can be done when your IAM admin <a href=\"https://docs.aws.amazon.com/quicksight/latest/user/embedded-analytics-dashboards-with-anonymous-users-step-1.html\" target=\"_blank\">sets up permissions</a> for your application or server. As part of this step, you can specify the list of domains that can be allow listed via the embedding APIs. For example, let’s assume you want your developers to only allow list the following domains:</p>\n<ul>\n<li><a href=\"https://myorders.simplelogistics.com/\" target=\"_blank\">https://myorders.simplelogistics.com</a></li>\n<li><a href=\"https://myorders.simplelogistics.com/\" target=\"_blank\">https://cheapelectornics.simplelogistics.com</a></li>\n<li><a href=\"https://myorders.simplelogistics.com/\" target=\"_blank\">https://myreturns.simplelogistics.com</a></li>\n</ul>\n<p>You can set these domains in the <code>quicksight:AllowedEmbeddingDomain</code> of the permissions setup. The following code is a sample for the <code>GenerateEmbedURLForAnonymousUser</code> API:</p>\n<pre><code class=\"lang-\">{\n &quot;Version&quot;: &quot;2012-10-17&quot;,\n &quot;Statement&quot;: [\n {\n &quot;Effect&quot;: &quot;Allow&quot;,\n &quot;Action&quot;: [\n &quot;quicksight:GenerateEmbedUrlForAnonymousUser&quot;\n ],\n &quot;Resource&quot;: &quot;arn:partition:quicksight:region:accountId:user/namespace/userName&quot;,\n &quot;Condition&quot;: {\n &quot;ForAllValues:StringEquals&quot;: {\n &quot;quicksight:AllowedEmbeddingDomains&quot;: [\n &quot;https://myorders.simplelogistics.com&quot;,\n &quot;https://cheapelectornics.simplelogistics.com&quot;,\n &quot;https://myreturns.simplelogistics.com&quot;\n ]\n }\n }\n }\n ]\n}\n</code></pre>\n<h4><a id=\"Sample_use_case_81\"></a><strong>Sample use case</strong></h4>\n<p>In this example use case, Travel Analytics is a software as a service (SaaS) provider with travel-related solutions for various travel agencies. They have a SaaS application for these agencies to track different metrics on how their business is performing. Because Travel Analytics is scaling their business, they have different sites for different travel agencies. With the newly launched domain allow listing with APIs, they’re able to scale with ease. They allow list the specific domains, depending on the customer, via the API when generating the embedding URL.</p>\n<p>The following code shows their sample GenerateEmbedURLForAnonymousUser API call with the domain added to the request:</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/82725dcddc1f4b4eb3139616a1b47a8f_image.png\" alt=\"image.png\" /></p>\n<p>The returned URL can only be embedded in the domain that was allow listed as part of the preceding request. The following is a screenshot of the embedded dashboard in this domain.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/661c59a93b2e49ccaf48b1dc989f3ece_image.png\" alt=\"image.png\" /></p>\n<p>The CSP header has only the specific allow listed domain via the API when the dashboard is embedded.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/0078cb03c8b74726bdd377b397d6ad57_image.png\" alt=\"image.png\" /></p>\n<h4><a id=\"Conclusion_100\"></a><strong>Conclusion</strong></h4>\n<p>Runtime domain allow listing using embedding APIs enables developers to scale their embedded offerings with QuickSight dashboards, visuals, <a href=\"https://aws.amazon.com/cn/quicksight/q/\" target=\"_blank\">QuickSight Q </a>(natural language querying), or authoring experience across different domains for their different customers easily. All of this is done without any infrastructure setup or management, while scaling to millions of users. For more information, refer to <a href=\"https://aws.amazon.com/cn/quicksight/embedded-analytics/\" target=\"_blank\">Amazon QuickSight Embedded Analytics</a> and <a href=\"https://docs.aws.amazon.com/quicksight/latest/user/doc-history.html\" target=\"_blank\">What’s New in the Amazon QuickSight User Guide</a>.</p>\n<h4><a id=\"About_the_authors_105\"></a><strong>About the authors</strong></h4>\n<p><img src=\"https://dev-media.amazoncloud.cn/37b9e629ed174f2884700baf929798ee_image.png\" alt=\"image.png\" /></p>\n<p><strong>Vetri Natarajan</strong> is a Specialist Solutions Architect for Amazon QuickSight. Vetri has 15 years of experience implementing enterprise Business Intelligence (BI) solutions and greenfield data products. Vetri specializes in integration of BI solutions with business applications and enable data-driven decisions.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/577ce00b36664be99463af497375f7dd_image.png\" alt=\"image.png\" /></p>\n<p><strong>Kareem Syed-Mohammed</strong> is a Product Manager at Amazon QuickSight. He focuses on embedded analytics, APIs, and developer experience. Prior to QuickSight he has been with Amazon Web Services Marketplace and Amazon retail as a PM. Kareem started his career as a developer and then PM for call center technologies, Local Expert and Ads for Expedia. He worked as a consultant with McKinsey and Company for a short while.</p>\n"}