How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?

Last updated: 2022-03-10

I'm trying to access OpenSearch Dashboards using Amazon Cognito authentication on my Amazon OpenSearch Service cluster. However, I receive an error or encounter a login issue. Why is this happening?


I entered the OpenSearch Dashboards URL, but I can't see the login page

You might be redirected from the OpenSearch Dashboards URL to the Dashboards dashboard for several reasons:

Note: Amazon Cognito authentication isn't required. To require Amazon Cognito authentication, change your domain access policy. For more information, see Configuring access policies.

If you're redirected to the OpenSearch Dashboards login page but can't log in, then Amazon Cognito is incorrectly configured. To resolve this issue, consider the following approaches:

"Missing Role" error

If you have fine-grained access control (FGAC) enabled on OpenSearch Dashboards in your OpenSearch Service domain, then you might receive the following error:

"Missing Role
No roles available for this user, please contact your system administrator."

This error occurs when there's a mismatch between your IAM primary or lead user and the Amazon Cognito role being assumed. The role that's being assumed (from your Amazon Cognito identity pool) must match the IAM role that you specified for the primary or lead user.

To make the primary or lead user's IAM role match the Amazon Cognito role being assumed, perform the following steps:

1.    Navigate to the OpenSearch Service console.

2.    Choose your OpenSearch Service domain.

3.    Choose Actions.

4.    Choose Modify authentication.

5.    Under Fine-grained access control, choose Set IAM role as the primary or lead user. Make sure to specify the Amazon Cognito Authentication role's ARN.

6.    (Optional) If you forgot the primary or lead user's ARN (or other configuration details of the role), then modify the primary or lead user. When you reconfigure your primary or lead user, you can specify a new IAM ARN.

7.    Choose Submit.

Invalid identity pool configuration error

After you successfully authenticate your login using Amazon Cognito, you might still receive the following error:
Invalid identity pool configuration. Check assigned IAM roles for this pool.
(Service: AmazonCognitoIdentity; Status Code: 400; Error Code:
InvalidIdentityPoolConfigurationException; Request ID:

This error message occurs when Amazon Cognito doesn't have the proper permissions to assume an IAM role on behalf of the authenticated user. Modify the trust relationship for the IAM role to include the following:

1.    Open the Amazon IAM console.

2.    Choose Roles.

3.    Select your IAM role.

4.    Choose the Trust relationships tab.

5.    Choose Edit trust relationship. Make sure that your Amazon Cognito identity pool can assume the IAM role.

For example:

     "Version": "2012-10-17",
     "Statement": [{
          "Effect": "Allow",
          "Principal": {
               "Federated": ""
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
               "StringEquals": {
                    "": "identity-pool-id"
               "ForAnyValue:StringLike": {
                    "": "authenticated"

6.    Choose Update Trust Policy.

For more information about updating your IAM role policy where fine-grained access control (FGAC) is enabled, see Tutorial: IAM primary user and Amazon Cognito.

Redirect mismatch error

You might receive the following error when you try to access OpenSearch Dashboards in OpenSearch Service using a Dashboards URL or custom endpoint URL:

"An error was encountered with the requested page"

This error occurs when you're missing the callback URL configuration in Amazon Cognito's app client settings.

To check that your App client settings are correctly configured, perform the following steps:

1.    Navigate to the Amazon Cognito console.

2.    Choose Manage User Pools.

3.    Select the user pool that you want to edit.

4.    On the left side of the console, choose App client settings.

5.    Verify that the callback URL(s) and sign out URL(s) are correctly configured. For example:


For a domain where a custom endpoint is enabled, your callback URL and sign out URL will look like this:


Amazon Cognito identity pool authorization role error

If you're able to log in but you can't see OpenSearch Dashboards, then you might receive the following error:

User: arn:aws:sts:: 123456789012:assumed-role/Cognito_identitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: es:ESHttpGet

By default, the authenticated IAM role for identity pools doesn't include the privileges required to access Dashboards. You can find the name of the authenticated role and add it to the OpenSearch Service access policy by performing the following:

1.    Navigate to the Amazon Cognito console.

2.    Choose Manage Identity Pools.

3.    In the top-right corner of the console, choose Edit identity pool.

4.    Add your authenticated role to your OpenSearch Service domain access policy.

Note: It's a best practice that you use a resource-based policy for authenticated users. The authenticated role specifically controls the Amazon Cognito authentication for Dashboards. Therefore, don't remove other resources from the domain access policy.

Did this article help?

Do you need billing or technical support?