Uncaught exception for SCP-related AccessDeniedException in QuickSight DescribeGroup operation in us-east-1 #851
Labels
effort: low
effort: medium
priority: medium
status: not-picked-yet
At the moment we have not picked this item. Anyone can pick it up
type: bug
Something isn't working
Milestone
Comments
lorchda
changed the title
lorchda
changed the title
lorchda
changed the title
|
Hi @lorchda, we are facing similar issues when registering users. We defaulted the identity region to the default when subscribing to Quicksight, but as more regions are added as identity regions it seems like there is a need to resolve the identity region in a better way. Let us discuss this feature internally but we will look into it. |
dlpzx
added
type: bug
|
We will iterate only through the Quicksight identity regions available |
dlpzx
added a commit
that referenced
this issue
Dec 6, 2023
### Feature or Bugfix - Feature - Bugfix ### Detail There is no API to obtain the Quicksight identity region used for an account, we obtain it form the error logs of the response of describe_groups. However, it does not take into account AccessDenied errors based on SCPs. A more detailed description of the issue can be found in #851 This PR: - handles AccessDenied errors based on SCPs and retries other Quicksight identity regions - fixes some methods for registering users that should be using the Quicksight client in the identity region. ### Relates - #851 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). --> `N/A` - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
|
Merged to |
|
I see it was a larger investigation behind, thank you for the deep dive and fix! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When trying to start a QuickSight session, the following error is displayed:
How to Reproduce
The call trace is as follows:
GetAuthorSessionget_identity_region, which uses hardcoded parameterus-east-1in backend/dataall/base/aws/quicksight.py#L40AccessDeniedException, but does not foresee exceptions due to service control policiesWe were able to temporarily fix the issue by changing the value from
us-east-1toeu-central-1(but thereby changing the logic of the function).A more correct fix would be to review the block in
except client.exceptions.AccessDeniedException as e:, ensure theexplicit deny in a service control policyis caught with a fall back to the user's local region foridentity_region.Expected behavior
We are able to Start a QuickSight Session without errors.
Your project
Screenshots
data.all
Developer Tools: Request
Developer Tools: Response
CloudWatch Logs for GraphQL Lambda
OS
Windows
Python version
python3.8
AWS data.all version
v2.0.0
Additional context
No response
The text was updated successfully, but these errors were encountered: