How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?

Resolution

The login page doesn't appear when you enter the OpenSearch Dashboards URL

The login page might not appear for the following reasons:

• You used an IP-based domain access policy that allows your local machine's IP address to access Dashboards. To resolve this issue, add the Amazon Cognito authenticated role in the domain access policy.
• You used an AWS Identity and Access Management (IAM) role with permission to sign requests. To resolve this issue, don't use a proxy method to sign your requests.
• Your OpenSearch Service domain is in a virtual private cloud (VPC), so the domain has an open access policy. You don't need Amazon Cognito authentication to access Dashboards when your domain is in a VPC.
  Note: To require Amazon Cognito authentication, change your domain access policy.

If Amazon Cognito authentication redirects you to the OpenSearch Dashboards login page but you can't log in, then you incorrectly configured Amazon Cognito. To troubleshoot this issue, take the following actions:

• Make sure that you use the correct username and password.
• Check whether you correctly configured the identity provider.
• Verify that your account status is CONFIRMED.
  Note: You can view your account status on the User and groups page of the Amazon Cognito console. For more information, see Signing up and confirming user accounts.

"Missing Role" error

If you turned on fine-grained access control on OpenSearch Dashboards on your OpenSearch Service domain, then you might receive the following error:

"Missing Role No roles available for this user, please contact your system administrator."

To resolve this issue, make sure that the role that the Amazon Cognito identity pool assumes matches the IAM role for the specified primary user.

To match the primary user's IAM role to the assumed Amazon Cognito role, complete the following steps:

1. Open the OpenSearch Service console.
2. In the navigation pane, under Managed clusters, choose Domains.
3. Choose Actions.
4. Choose Edit security configuration.
5. Under Fine-grained access control, choose Set IAM ARN as your master user.
6. For IAM ARN, enter the Amazon Cognito identity pool role's ARN.
7. (Optional) If you don't know the primary user's ARN, then modify your primary user to specify a new IAM ARN.
8. Choose Submit.

Invalid identity pool configuration error

If Amazon Cognito doesn't have permission to assume an IAM role for the authenticated user, then you might receive the following error:

"com.amazonaws.services.cognitoidentity.model.InvalidIdentityPoolConfigurationException: Invalid identity pool configuration. Check assigned IAM roles for this pool. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: InvalidIdentityPoolConfigurationException; Request ID: #####-####-####-####-#####)"

To resolve this issue, modify the trust relationship for the IAM role.

Complete the following steps:

1. Open the Amazon IAM console.

2. Choose Roles.

3. Select your IAM role.

4. Choose the Trust relationships tab.

5. Choose Edit trust relationship. Make sure that your Amazon Cognito identity pool can assume the IAM role.

   Example trust policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Federated": "cognito-identity.amazonaws.com"
         },
         "Action": "sts:AssumeRoleWithWebIdentity",
         "Condition": {
           "StringEquals": {
             "cognito-identity.amazonaws.com:aud": "identity-pool-id"
          },
          "ForAnyValue:StringLike": {
            "cognito-identity.amazonaws.com:amr": "authenticated"
          }
         }
       }
     ]
   }

6. Choose Update trust policy.

For more information, see Tutorial: Configure a domain with an IAM master user and Amazon Cognito authentication.

You get an error when you request the page

If you incorrectly configure the callback URL or custom endpoint in your app client settings, then you might receive the following error:

"An error was encountered with the requested page"

To check that you correctly configured your app client settings, complete the following steps:

1. Open the Amazon Cognito console.

2. Choose Manage user pools.

3. Select the user pool that you want to edit.

4. Under App integration, select the OpenSearch app client from the App client menu.

5. Verify that you correctly configured the callback URL(s) and sign out URL(s).

   Example URL:

   <dashboards-endpoint>/_dashboards/app/home

   Example URL for a domain with an activated custom endpoint:

   <domain-custom-endpoint>/_dashboards/app/home

You receive the "CognitoIdentityCredentials is not authorized to perform" error

If you log in but you can't see OpenSearch Dashboards, then you might receive the following error:

"User: arn:aws:sts:: 123456789012:assumed-role/Cognito_identitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: es:ESHttpGet"

By default, the authenticated IAM role for identity pools doesn't include the required permissions to access Dashboards. To find the name of the authenticated role and add it to the OpenSearch Service access policy, complete the following steps:

1. Open the Amazon Cognito console.
2. Choose Manage identity pools.
3. Choose Edit identity pool.
4. Add your authenticated role to your OpenSearch Service domain access policy.

Note: It's a best practice to use a resource-based policy for authenticated users. The authenticated role specifically controls the Amazon Cognito authentication for OpenSearch Dashboards.

Related information

Common configuration issues