I'm having trouble accessing Kibana through Amazon Cognito on my Amazon Elasticsearch Service domain.
I get an error message when I try to enable Amazon Cognito authentication
- "Amazon ES can't create the role": Be sure that the Amazon Cognito role is correctly configured for your AWS Identity and Access Management (IAM) user.
- "An error occurred (ValidationException) when calling the CreateElasticsearchDomain operation: Domain needs to be specified for user pool": Be sure that the domain name is specified. You can use the hosted user pool domain, or you can add a custom domain. Amazon ES uses the domain name to redirect users to a login page for Kibana access.
When I enter the Kibana URL, I don't see the login page. I'm taken directly to the Kibana dashboard.
Amazon Cognito authentication isn't required and you aren't redirected to the Kibana login page when:
- You use an IP-based domain access policy that allows your local machine’s public IP address to access Kibana.
- Requests are signed by an allowed IAM user or role.
- Your Amazon ES domain is in a virtual private cloud (VPC), and the domain has an open access policy. In this scenario, all users in the VPC can access the domain and Kibana without Amazon Cognito authentication.
To be sure that Amazon Cognito authentication is required, change your domain access policy. For more information, see Configuring Access Policies.
When I enter the Kibana URL, I get a redirect_mismatch error
- Sign in to the Amazon Cognito console.
- Choose Manage User Pools, and then choose the user pool that you want to edit.
- On the navigation bar on the left-side of the page, choose App clients.
- Be sure that the Callback URL and Sign out URL are set to your-kibana-endpoint/app/kibana. For more information, see Configuring Identity Providers.
I'm redirected to the Kibana login page, but I can't log in
- Be sure that the identity provider is configured correctly.
- Be sure that your account status is CONFIRMED. You can view your account status on the User and groups page of the Amazon Cognito console. For more information, see Signing Up and Confirming User Accounts.
- Be sure that you are using the correct user name and password.
I'm able to log in, but I can't see Kibana
After I log in to Kibana, I get an error message like this:
User: arn:aws:sts:: 123456789012:assumed-role/Cognito_identitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: es:ESHttpGet
By default, the authenticated IAM role for identity pools does not have the privileges required to access Kibana. To resolve this problem, find the name of the authenticated role and add it to the Amazon ES access policy:
- Sign in to the Amazon Cognito console.
- Choose Manage Identity Pools, and then choose the user pool that you want to edit.
- In the top-right corner of the Dashboard page, choose Edit identity pool.
- Note the name of the Authenticated role. It looks something like Cognito_identitypoolAuth_Role.
- Add the authenticated role to the Amazon ES domain access policy. Using a resource-based policy is a best practice in this scenario. For more information, see Allowing the Authenticated Role.
Note: The authenticated role controls only Amazon Cognito authentication for Kibana. Don't remove other resources from the domain access policy.
For additional troubleshooting scenarios, see Common Configuration Issues.
Did this page help you? Yes | No
Back to the AWS Support Knowledge Center
Need help? Visit the AWS Support Center
Published: 2019-01-30
