How do I troubleshoot Amazon Cognito authentication issues with Kibana?

Last updated: 2021-01-27

If you entered the Kibana URL and are redirected to the Kibana dashboard, it could be for one of these reasons:

• You used an IP-based domain access policy that allows your local machine’s public IP address to access Kibana. Make sure to add the Amazon Cognito authenticated role in the domain access policy, or your access policy will behave like a normal policy.
• Requests are signed by a permitted AWS Identity Access Management (IAM) user or role. When you access the Kibana URL, avoid using any Kibana proxy methods to sign your requests.
• Your Amazon ES domain is in a virtual private cloud (VPC), and your domain has an open access policy. In this scenario, all VPC users can access Kibana and the domain without Amazon Cognito authentication. Therefore, make sure to add the Amazon Cognito authenticated role in your domain access policy.

Note: Amazon Cognito authentication isn't required. If you want Amazon Cognito authentication to be required, change your domain access policy. For more information, see Configuring access policies.

If you're redirected to the Kibana login page and are unable to log in, it indicates that Amazon Cognito is incorrectly configured. To resolve this issue, consider the following approaches:

• Verify that the identity provider is correctly configured.
• Verify that your account status is set to "CONFIRMED". You can view your account status on the User and groups page of the Amazon Cognito console. For more information, see Signing up and confirming user accounts.
• Verify that you are using the correct user name and password.

If you have fine-grained access control (FGAC) enabled on Kibana in your Amazon ES domain, you might receive the following error:

"Missing Role
No roles available for this user, please contact your system administrator."

This error occurs when there is a mismatch between your IAM primary or lead user and the Amazon Cognito role being assumed. The role that's being assumed (from your Amazon Cognito identity pool) must match the IAM role that you specified for the primary or lead user.

To make the primary or lead user's IAM role match the Amazon Cognito role being assumed, perform the following steps:

1.    Navigate to the Amazon ES console.

2.    Choose your Amazon ES domain.

3.    Choose Actions.

4.    Choose Modify authentication.

5.    Under Fine-grained access control, choose Set IAM role as the primary or lead user. Make sure to specify the Amazon Cognito Authentication role's ARN.

6.    (Optional) If you forgot the primary or lead user's ARN (or other configuration details of the role), then modify the primary or lead user. When you reconfigure your primary or lead user, you can specify a new IAM ARN.

7.    Choose Submit.

After you successfully authenticate your login using Amazon Cognito, you might still receive the following error:

com.amazonaws.services.cognitoidentity.model.InvalidIdentityPoolConfigurationException:
Invalid identity pool configuration. Check assigned IAM roles for this pool.
(Service: AmazonCognitoIdentity; Status Code: 400; Error Code:
InvalidIdentityPoolConfigurationException; Request ID:
xxxxx-xxxx-xxxx-xxxx-xxxxx)

This error message occurs when Amazon Cognito doesn't have the proper permissions to assume an IAM role on behalf of the authenticated user. Modify the trust relationship for the IAM role to include the following:

1.    Open the Amazon IAM console.

2.    Choose Roles.

3.    Select your IAM role.

4.    Choose the Trust relationships tab.

5.    Choose Edit trust relationship. Make sure that your Amazon Cognito identity pool can assume the IAM role.

For example:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "cognito-identity.amazonaws.com"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "cognito-identity.amazonaws.com:aud": "identity-pool-id"
      },
      "ForAnyValue:StringLike": {
        "cognito-identity.amazonaws.com:amr": "authenticated"
      }
    }
  }]
}

6.    Choose Update Trust Policy.

For more information about updating your IAM role policy where fine-grained access control (FGAC) is enabled, see Tutorial: IAM primary user and Amazon Cognito.

You might receive the following error when you try to access Kibana on Amazon ES using a Kibana URL or custom endpoint URL:

"An error was encountered with the requested page"

This error occurs when you are missing the callback URL configuration in Amazon Cognito's App client settings.

To check that your App client settings are correctly configured, perform the following steps:

1.    Navigate to the Amazon Cognito console.

2.    Choose Manage User Pools.

3.    Select the user pool that you want to edit.

4.    On the left side of the console, choose App client settings.

5.    Verify that the callback URL(s) and sign out URL(s) are correctly configured. For example:

<Kibana endpoint>/app/kibana

For an Amazon ES domain where a custom endpoint is enabled, your callback URL and sign out URL will look like this:

<Kibana custom endpoint URL>/app/kibana, <Kibana endpoint>/app/kibana

If you're able to log in but you can't see Kibana, you might receive the following error:

User: arn:aws:sts:: 123456789012:assumed-role/Cognito_identitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: es:ESHttpGet

By default, the authenticated IAM role for identity pools doesn't include the privileges required to access Kibana. You can find the name of the authenticated role and add it to the Amazon ES access policy by performing the following:

1.    Navigate to the Amazon Cognito console.

2.    Choose Manage Identity Pools.

3.    In the top right corner of the console, choose Edit identity pool.

4.    Add your authenticated role to the Amazon ES domain access policy.

Note: It's a best practice that you use a resource-based policy for authenticated users. The authenticated role specifically controls the Amazon Cognito authentication for Kibana. Therefore, don't remove other resources from the domain access policy.