How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?

5 minute read
0

I'm trying to access OpenSearch Dashboards using Amazon Cognito authentication on my Amazon OpenSearch Service cluster. But, I receive an error or encounter a login issue.

Resolution

Login page doesn't appear when you enter the OpenSearch Dasboards URL

You might be redirected from the OpenSearch Dashboards URL to the Dashboards dashboard for several reasons:

  • You used an IP-based domain access policy that allows your local machine’s public IP address to access Dashboards. Make sure to add the Amazon Cognito authenticated role in the domain access policy. If you don't add the authenticated role, then your access policy behaves like a normal policy.
  • Requests are signed by a permitted AWS Identity Access Management (IAM) user or role. When you access the Dashboards URL, avoid using any Dashboards proxy methods to sign your requests.
  • Your OpenSearch Service domain is in a virtual private cloud (VPC), and your domain has an open access policy. In this scenario, all VPC users can access Dashboards and the domain without Amazon Cognito authentication.

Note: Amazon Cognito authentication isn't required. To require Amazon Cognito authentication, change your domain access policy. For more information, see Configuring access policies.

If you're redirected to the OpenSearch Dashboards login page but can't log in, then Amazon Cognito is incorrectly configured. To resolve this issue, consider these approaches:

"Missing Role" error

If you turned on fine-grained access control (FGAC) on OpenSearch Dashboards in your OpenSearch Service domain, then you might receive this error:

"Missing Role
No roles available for this user, please contact your system administrator."

The preceding error occurs when there's a mismatch between your IAM primary or lead user and the Amazon Cognito role that's assumed. The role that's assumed from your Amazon Cognito identity pool must match the IAM role that you specified for the primary or lead user.

To make the primary or lead user's IAM role match the assumed Amazon Cognito role, complete the following steps:

  1. Open the OpenSearch Service console.

  2. From the navigation pane, under Managed clusters, choose Domains.

  3. Choose Actions.

  4. Choose Edit security configuration.

  5. Under Fine-grained access control, choose Set IAM role as the primary or lead user. Make sure to specify the Amazon Cognito Authentication role's ARN.

  6. (Optional) If you forgot the primary or lead user's ARN (or other configuration details of the role), then modify the primary or lead user. When you reconfigure your primary or lead user, you can specify a new IAM ARN.

  7. Choose Submit.

Invalid identity pool configuration error

After you successfully authenticate your login using Amazon Cognito, you might still receive this error:

com.amazonaws.services.cognitoidentity.model.InvalidIdentityPoolConfigurationException:
Invalid identity pool configuration. Check assigned IAM roles for this pool.
(Service: AmazonCognitoIdentity; Status Code: 400; Error Code:
InvalidIdentityPoolConfigurationException; Request ID:
xxxxx-xxxx-xxxx-xxxx-xxxxx)

The preceding error message occurs when Amazon Cognito doesn't have the proper permissions to assume an IAM role on behalf of the authenticated user. Modify the trust relationship for the IAM role:

  1. Open the Amazon IAM console.

  2. Choose Roles.

  3. Select your IAM role.

  4. Choose the Trust relationships tab.

  5. Choose Edit trust relationship. Make sure that your Amazon Cognito identity pool can assume the IAM role.

For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "identity-pool-id"
       },
       "ForAnyValue:StringLike": {
         "cognito-identity.amazonaws.com:amr": "authenticated"
       }
      }
    }
  ]
}
  1. Choose Update Trust Policy.

For more information about updating your IAM role policy where fine-grained access control (FGAC) is turned on, see Tutorial: Configure a domain with an IAM master user and Amazon Cognito authentication.

Redirect mismatch error

You might receive the following error when you try to access OpenSearch Dashboards in OpenSearch Service using a Dashboards URL or custom endpoint URL:

"An error was encountered with the requested page"

The preceding error occurs when you're missing the callback URL configuration in Amazon Cognito's app client settings.

To check that your App client settings are correctly configured, perform these steps:

  1. Open the Amazon Cognito console.

  2. Choose Manage User Pools.

  3. Select the user pool that you want to edit.

  4. On the left side of the console, under App integration, choose the OpenSearch App Client from the App client.

  5. Verify that the callback URL(s) and sign out URL(s) are correctly configured. For example:

<dashboards-endpoint>/_dashboards/app/home

For a domain where a custom endpoint is turned on, your callback URL and sign out URL looks similar to the following one:

<domain-custom-endpoint>/_dashboards/app/home

Amazon Cognito identity pool authorization role error

If you can't log in but you can't see OpenSearch Dashboards, then you might receive this error:

User: arn:aws:sts:: 123456789012:assumed-role/Cognito_identitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: es:ESHttpGet

By default, the authenticated IAM role for identity pools doesn't include the privileges required to access Dashboards. Complete the following steps to find the name of the authenticated role and add it to the OpenSearch Service access policy:

  1. Open the Amazon Cognito console.

  2. Choose Manage Identity Pools.

  3. In the top-right corner of the console, choose Edit identity pool.

  4. Add your authenticated role to your OpenSearch Service domain access policy.

Note: It's a best practice to use a resource-based policy for authenticated users. The authenticated role specifically controls the Amazon Cognito authentication for Dashboards. Therefore, don't remove other resources from the domain access policy.


Related information

Common configuration issues

AWS OFFICIAL
AWS OFFICIALUpdated a year ago