How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?

Last updated: 2021-08-06

I'm trying to access OpenSearch Dashboards using Amazon Cognito authentication on my Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) cluster. However, I receive an error or encounter a login issue. Why is this happening?

Resolution

I entered the OpenSearch Dashboards URL, but I can't see the login page

Note: OpenSearch Dashboards is the successor to Kibana.

If you entered the OpenSearch Dashboards URL and are redirected to Dashboards dashboard, it could be for one of these reasons:

Note: Amazon Cognito authentication isn't required. If you want Amazon Cognito authentication to be required, change your domain access policy. For more information, see Configuring access policies.

I'm redirected to the OpenSearch Dashboards login page, but I can't log in

If you're redirected to the OpenSearch Dashboards login page and are unable to log in, it indicates that Amazon Cognito is incorrectly configured. To resolve this issue, consider the following approaches:

"Missing Role" error

If you have fine-grained access control (FGAC) enabled on OpenSearch Dashboards in your OpenSearch Services domain, you might receive the following error:

"Missing Role
No roles available for this user, please contact your system administrator."

This error occurs when there is a mismatch between your IAM primary or lead user and the Amazon Cognito role being assumed. The role that's being assumed (from your Amazon Cognito identity pool) must match the IAM role that you specified for the primary or lead user.

To make the primary or lead user's IAM role match the Amazon Cognito role being assumed, perform the following steps:

1.    Navigate to the OpenSearch Services console.

2.    Choose your OpenSearch Services domain.

3.    Choose Actions.

4.    Choose Modify authentication.

5.    Under Fine-grained access control, choose Set IAM role as the primary or lead user. Make sure to specify the Amazon Cognito Authentication role's ARN.

6.    (Optional) If you forgot the primary or lead user's ARN (or other configuration details of the role), then modify the primary or lead user. When you reconfigure your primary or lead user, you can specify a new IAM ARN.

7.    Choose Submit.

Invalid identity pool configuration error

After you successfully authenticate your login using Amazon Cognito, you might still receive the following error:

com.amazonaws.services.cognitoidentity.model.InvalidIdentityPoolConfigurationException:
Invalid identity pool configuration. Check assigned IAM roles for this pool.
(Service: AmazonCognitoIdentity; Status Code: 400; Error Code:
InvalidIdentityPoolConfigurationException; Request ID:
xxxxx-xxxx-xxxx-xxxx-xxxxx)

This error message occurs when Amazon Cognito doesn't have the proper permissions to assume an IAM role on behalf of the authenticated user. Modify the trust relationship for the IAM role to include the following:

1.    Open the Amazon IAM console.

2.    Choose Roles.

3.    Select your IAM role.

4.    Choose the Trust relationships tab.

5.    Choose Edit trust relationship. Make sure that your Amazon Cognito identity pool can assume the IAM role.

For example:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "cognito-identity.amazonaws.com"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "cognito-identity.amazonaws.com:aud": "identity-pool-id"
      },
      "ForAnyValue:StringLike": {
        "cognito-identity.amazonaws.com:amr": "authenticated"
      }
    }
  }]
}

6.    Choose Update Trust Policy.

For more information about updating your IAM role policy where fine-grained access control (FGAC) is enabled, see Tutorial: IAM primary user and Amazon Cognito.

Redirect mismatch error

You might receive the following error when you try to access OpenSearch Dashboards on OpenSearch Services using a Dashboards URL or custom endpoint URL:

"An error was encountered with the requested page"

This error occurs when you are missing the callback URL configuration in Amazon Cognito's App client settings.

To check that your App client settings are correctly configured, perform the following steps:

1.    Navigate to the Amazon Cognito console.

2.    Choose Manage User Pools.

3.    Select the user pool that you want to edit.

4.    On the left side of the console, choose App client settings.

5.    Verify that the callback URL(s) and sign out URL(s) are correctly configured. For example:

<dashboards-endpoint>/app/dashboards

For a domain where a custom endpoint is enabled, your callback URL and sign out URL will look like this:

<domain-custom-endpoint>/app/dashboards, <dashboards-endpoint>/app/dashboards

Amazon Cognito identity pool authorization role error

If you're able to log in but you can't see OpenSearch Dashboards, you might receive the following error:

User: arn:aws:sts:: 123456789012:assumed-role/Cognito_identitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: es:ESHttpGet

By default, the authenticated IAM role for identity pools doesn't include the privileges required to access Dashboards. You can find the name of the authenticated role and add it to the OpenSearch Services access policy by performing the following:

1.    Navigate to the Amazon Cognito console.

2.    Choose Manage Identity Pools.

3.    In the top right corner of the console, choose Edit identity pool.

4.    Add your authenticated role to your OpenSearch Services domain access policy.

Note: It's a best practice that you use a resource-based policy for authenticated users. The authenticated role specifically controls the Amazon Cognito authentication for Dashboards. Therefore, don't remove other resources from the domain access policy.


Did this article help?


Do you need billing or technical support?