I'm having trouble accessing Kibana through Amazon Cognito on my Amazon Elasticsearch Service domain.

I get an error message when I try to enable Amazon Cognito authentication

When I enter the Kibana URL, I don't see the login page. I'm taken directly to the Kibana dashboard.

Amazon Cognito authentication isn't required and you aren't redirected to the Kibana login page when:

  • You use an IP-based domain access policy that allows your local machine’s public IP address to access Kibana.
  • Requests are signed by an allowed IAM user or role.
  • Your Amazon ES domain is in a virtual private cloud (VPC), and the domain has an open access policy. In this scenario, all users in the VPC can access the domain and Kibana without Amazon Cognito authentication.

To be sure that Amazon Cognito authentication is required, change your domain access policy. For more information, see Configuring Access Policies.

When I enter the Kibana URL, I get a redirect_mismatch error

  1. Sign in to the Amazon Cognito console.
  2. Choose Manage User Pools, and then choose the user pool that you want to edit.
  3. On the navigation bar on the left-side of the page, choose App clients.
  4. Be sure that the Callback URL and Sign out URL are set to your-kibana-endpoint/app/kibana. For more information, see Configuring Identity Providers.

I'm redirected to the Kibana login page, but I can't log in

I'm able to log in, but I can't see Kibana

After I log in to Kibana, I get an error message like this:

User: arn:aws:sts:: 123456789012:assumed-role/Cognito_identitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: es:ESHttpGet

By default, the authenticated IAM role for identity pools does not have the privileges required to access Kibana. To resolve this problem, find the name of the authenticated role and add it to the Amazon ES access policy:

  1. Sign in to the Amazon Cognito console.
  2. Choose Manage Identity Pools, and then choose the user pool that you want to edit.
  3. In the top-right corner of the Dashboard page, choose Edit identity pool.
  4. Note the name of the Authenticated role. It looks something like Cognito_identitypoolAuth_Role.
  5. Add the authenticated role to the Amazon ES domain access policy. Using a resource-based policy is a best practice in this scenario. For more information, see Allowing the Authenticated Role
    Note: The authenticated role controls only Amazon Cognito authentication for Kibana. Don't remove other resources from the domain access policy.

For additional troubleshooting scenarios, see Common Configuration Issues.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-01-30