How do I troubleshoot Amazon Cognito authentication issues with Kibana?

Last updated: 2021-01-27

I'm trying to access Kibana using Amazon Cognito authentication on my Amazon Elasticsearch Service (Amazon ES) cluster. However, I receive an error or encounter a login issue. Why is this happening?

Resolution

I entered the Kibana URL, but I can't see the login page

If you entered the Kibana URL and are redirected to the Kibana dashboard, it could be for one of these reasons:

Note: Amazon Cognito authentication isn't required. If you want Amazon Cognito authentication to be required, change your domain access policy. For more information, see Configuring access policies.

I'm redirected to the Kibana login page, but I can't log in

If you're redirected to the Kibana login page and are unable to log in, it indicates that Amazon Cognito is incorrectly configured. To resolve this issue, consider the following approaches:

"Missing Role" error

If you have fine-grained access control (FGAC) enabled on Kibana in your Amazon ES domain, you might receive the following error:

"Missing Role
No roles available for this user, please contact your system administrator."

This error occurs when there is a mismatch between your IAM primary or lead user and the Amazon Cognito role being assumed. The role that's being assumed (from your Amazon Cognito identity pool) must match the IAM role that you specified for the primary or lead user.

To make the primary or lead user's IAM role match the Amazon Cognito role being assumed, perform the following steps:

1.    Navigate to the Amazon ES console.

2.    Choose your Amazon ES domain.

3.    Choose Actions.

4.    Choose Modify authentication.

5.    Under Fine-grained access control, choose Set IAM role as the primary or lead user. Make sure to specify the Amazon Cognito Authentication role's ARN.

6.    (Optional) If you forgot the primary or lead user's ARN (or other configuration details of the role), then modify the primary or lead user. When you reconfigure your primary or lead user, you can specify a new IAM ARN.

7.    Choose Submit.

Invalid identity pool configuration error

After you successfully authenticate your login using Amazon Cognito, you might still receive the following error:

com.amazonaws.services.cognitoidentity.model.InvalidIdentityPoolConfigurationException:
Invalid identity pool configuration. Check assigned IAM roles for this pool.
(Service: AmazonCognitoIdentity; Status Code: 400; Error Code:
InvalidIdentityPoolConfigurationException; Request ID:
xxxxx-xxxx-xxxx-xxxx-xxxxx)

This error message occurs when Amazon Cognito doesn't have the proper permissions to assume an IAM role on behalf of the authenticated user. Modify the trust relationship for the IAM role to include the following:

1.    Open the Amazon IAM console.

2.    Choose Roles.

3.    Select your IAM role.

4.    Choose the Trust relationships tab.

5.    Choose Edit trust relationship. Make sure that your Amazon Cognito identity pool can assume the IAM role.

For example:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "cognito-identity.amazonaws.com"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "cognito-identity.amazonaws.com:aud": "identity-pool-id"
      },
      "ForAnyValue:StringLike": {
        "cognito-identity.amazonaws.com:amr": "authenticated"
      }
    }
  }]
}

6.    Choose Update Trust Policy.

For more information about updating your IAM role policy where fine-grained access control (FGAC) is enabled, see Tutorial: IAM primary user and Amazon Cognito.

Redirect mismatch error

You might receive the following error when you try to access Kibana on Amazon ES using a Kibana URL or custom endpoint URL:

"An error was encountered with the requested page"

This error occurs when you are missing the callback URL configuration in Amazon Cognito's App client settings.

To check that your App client settings are correctly configured, perform the following steps:

1.    Navigate to the Amazon Cognito console.

2.    Choose Manage User Pools.

3.    Select the user pool that you want to edit.

4.    On the left side of the console, choose App client settings.

5.    Verify that the callback URL(s) and sign out URL(s) are correctly configured. For example:

<Kibana endpoint>/app/kibana

For an Amazon ES domain where a custom endpoint is enabled, your callback URL and sign out URL will look like this:

<Kibana custom endpoint URL>/app/kibana, <Kibana endpoint>/app/kibana

Amazon Cognito identity pool authorization role error

If you're able to log in but you can't see Kibana, you might receive the following error:

User: arn:aws:sts:: 123456789012:assumed-role/Cognito_identitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: es:ESHttpGet

By default, the authenticated IAM role for identity pools doesn't include the privileges required to access Kibana. You can find the name of the authenticated role and add it to the Amazon ES access policy by performing the following:

1.    Navigate to the Amazon Cognito console.

2.    Choose Manage Identity Pools.

3.    In the top right corner of the console, choose Edit identity pool.

4.    Add your authenticated role to the Amazon ES domain access policy.

Note: It's a best practice that you use a resource-based policy for authenticated users. The authenticated role specifically controls the Amazon Cognito authentication for Kibana. Therefore, don't remove other resources from the domain access policy.


Did this article help?


Do you need billing or technical support?