How do I troubleshoot problems with Amazon Cognito authentication for Kibana?

I get an error message when I try to enable Amazon Cognito authentication.

• "Amazon ES can't create the role": Verify that the Amazon Cognito role is correctly configured for your AWS Identity and Access Management (IAM) user.
• "An error occurred (ValidationException) when calling the CreateElasticsearchDomain operation: Domain needs to be specified for user pool": Verify that the domain name is specified. You can use the hosted user pool domain or you can add a custom domain. Amazon ES uses the domain name to redirect users to a login page for Kibana access.

When I enter the Kibana URL, I don't see the login page. I'm taken directly to the Kibana dashboard.

Amazon Cognito authentication isn't required. You're redirected to the Kibana login page when the following occurs:

• You use an IP-based domain access policy that allows your local machine’s public IP address to access Kibana.
  
• Requests are signed by an allowed IAM user or role.
  
• Your Amazon ES domain is in a virtual private cloud (VPC), and the domain has an open access policy. In this scenario, all VPC users can access Kibana and the domain without Amazon Cognito authentication.

To confirm that Amazon Cognito authentication is required, change your domain access policy. For more information, see Configuring Access Policies.

When I enter the Kibana URL, I get a redirect_mismatch error.

1. Sign in to the Amazon Cognito console.
2. Choose Manage User Pools, and then choose the user pool that you want to edit.
   
3. On the navigation bar on the left side of the page, choose App clients.
   
4. Verify that the Callback URL and Sign out URL are correctly configured, such as in this example:
   

Note: Replace your-kibana-endpoint with your endpoint name.

I'm redirected to the Kibana login page, but I can't log in.

• Verify that the identity provider is correctly configured.
  
• Verify that your account status is set to "CONFIRMED". You can view your account status on the User and groups page of the Amazon Cognito console. For more information, see Signing Up and Confirming User Accounts.
  
• Verify that you are using the correct user name and password.

I'm able to log in, but I can't see Kibana.

After I log in to Kibana, I get an error message that looks like this:

By default, the authenticated IAM role for identity pools doesn't include the privileges required to access Kibana. You can find the name of the authenticated role and add it to the Amazon ES access policy by doing the following:

1. Sign in to the Amazon Cognito console.
   
2. Choose Manage Identity Pools, and then choose the user pool that you want to edit.
   
3. In the top-right corner of the Dashboard page, choose Edit identity pool.
   
4. Add your authenticated role to the Amazon ES domain access policy.

Note: It's a best practice that you use a resource-based policy for authenticated users. The authenticated role controls only Amazon Cognito authentication for Kibana. Therefore, don't remove other resources from the domain access policy.

For additional troubleshooting scenarios, see Common Configuration Issues.