How do I troubleshoot issues with tag-based access control in Amazon Connect?

4 minute read
0

I want to troubleshoot common issues that I have when I use tag-based access control in Amazon Connect.

Resolution

Based on your issue, complete the steps in the following sections.

Agents can't create or update resources

To allow users to access a resource, you must tag the resource with the same tag as the agent's profile. For example, if an agent wants to edit a queue but doesn't have the tag in their Security Profile, then the agent receives an error.

To resolve this issue, update the agent's Security Profile to access the necessary resources.

Agents can't restrict resources

There are several reasons why your agent might not be able to use tags to restrict a resource.

Your agent's permissions aren't correct

If an agent can't use tag-based access control to restrict a resource, then review the agent's permissions to edit a resource. If the agent doesn't have access to a resource, then update the agent's Security Profile to access the necessary resources.

Note: You can configure up to four access control tags for a security profile. For more information, see Configuration limitations.

Your service linked role isn't correct

Make sure that your service linked role allows the actions to be performed.

Note: If you have an instance that was created before October 2018, then use service-linked roles to restrict resources. For more information, see Use service-linked roles and role permissions for Amazon Connect.

Your tag format isn't correct

Amazon reserves the aws: prefix for tags that are generated by Amazon services. If you add aws: to your tag, then you can't add, modify, or delete the tag.

To resolve this issue, create a new tag for your resources that doesn't contain the aws: prefix.

The tag key isn't unique

Amazon Connect services support up to 50 tags for each resource. For a given resource, the tag key must be unique and have only one value.

To resolve this issue, update your tag key. For more information, see Add tags to resources in Amazon Connect.

Agents with multiple security profiles can't view tags in their resources

When multiple security profiles that contain access control tags are assigned to a single user, the tag-based access controls are less restrictive.

For example, suppose you add two access control tags such as City:X and Country:Y. Because of these tags, the user can see only resources that contain both tags.

To resolve this issue, it's a best practice to assign an agent only one Security Profile.

You get the "Failed Tags: Invalid value" error

When you use a CSV file to add users in bulk, you might encounter the following error:

"Failed Tags: Invalid value"

This error occurs when you add users in bulk and some of the users have more than one tag.

To resolve this issue, update the CSV file formatting for the tags. The correct formatting for the tags looks similar to the following example:

key1|value1||key2|value2

You can't filter agent metrics based on secondary filters

When you use the Real-time metrics page for tag-based access control, you can filter tables only by the primary resource. For example, you can't filter by queue in an Agent table, or group by queue in a Routing profile table.

When tags are turned on, Amazon Connect selects the first 100 agents that have the appropriate tags. For those in the group that has the tags, Amazon Connect shows only the active agents from that group. Because the table can show the full results on a single page, you don't need to filter the results.

Users can see restricted content

If users can see content that is restricted by tag-based access controls, then review your access control settings. When you apply tag-based access control, you must turn off access to specific resources or modules. To resolve this issue, update your configurations and remove permissions to view the modules or resources. For more best practices, see Best practices for applying tag-based access controls.

Related information

Add tags to resources in Amazon Connect

Configure granular access controls using resource tags in Amazon Connect

Tag-based access control using the Amazon Connect console

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago