How do I troubleshoot problems with Amazon Cognito authentication for Kibana?

Last updated: 2020-02-11

I'm having trouble accessing Kibana through Amazon Cognito on my Amazon Elasticsearch Service (Amazon ES) domain. 

Resolution

I get an error message when I try to enable Amazon Cognito authentication.

When I enter the Kibana URL, I don't see the login page. I'm taken directly to the Kibana dashboard.

Amazon Cognito authentication isn't required. You're redirected to the Kibana login page when the following occurs:

  • You use an IP-based domain access policy that allows your local machine’s public IP address to access Kibana.
  • Requests are signed by an allowed IAM user or role.
  • Your Amazon ES domain is in a virtual private cloud (VPC), and the domain has an open access policy. In this scenario, all VPC users can access Kibana and the domain without Amazon Cognito authentication.

To confirm that Amazon Cognito authentication is required, change your domain access policy. For more information, see Configuring Access Policies.

When I enter the Kibana URL, I get a redirect_mismatch error.

  1. Sign in to the Amazon Cognito console.
  2. Choose Manage User Pools, and then choose the user pool that you want to edit.
  3. On the navigation bar on the left side of the page, choose App clients.
  4. Verify that the Callback URL and Sign out URL are correctly configured, such as in this example:
your-kibana-endpoint/app/kibana

Note: Replace your-kibana-endpoint with your endpoint name.

I'm redirected to the Kibana login page, but I can't log in.

I'm able to log in, but I can't see Kibana.

After I log in to Kibana, I get an error message that looks like this:

User: arn:aws:sts:: 123456789012:assumed-role/Cognito_identitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: es:ESHttpGet

By default, the authenticated IAM role for identity pools doesn't include the privileges required to access Kibana. You can find the name of the authenticated role and add it to the Amazon ES access policy by doing the following:

  1. Sign in to the Amazon Cognito console.
  2. Choose Manage Identity Pools, and then choose the user pool that you want to edit.
  3. In the top-right corner of the Dashboard page, choose Edit identity pool.
  4. Add your authenticated role to the Amazon ES domain access policy.

Note: It's a best practice that you use a resource-based policy for authenticated users. The authenticated role controls only Amazon Cognito authentication for Kibana. Therefore, don't remove other resources from the domain access policy.

For additional troubleshooting scenarios, see Common Configuration Issues.