I reviewed the following troubleshooting guide and unfortunately it did not solve my issue. After some testing, I found out that the email address attribute, for my Active Directory user, was blank on my on-perm AD.
After filling in the email address attribute for my AD User and allowing Identity Center to sync, my user and test account were able to login successfully.
In this situation, you may need to view the individual account you applied the User/PermissionSet to and "re-provision" the permission set. There my have been an error assigning it to that account. The other issue may be that there is a control attached to that account that is preventing that user, or any user access to the account even though the IAM IC Service provisioned the permission set to the account. A SCP at the Management account level may be preventing anyone, any permission set, or group access to the account unless the resource ARN (or Principal) matches a certain pattern.
Very helpful. Thanks. This issue had stopped me for quite long time. I found the docs mentioning about this.
https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html
IAM Identity Center requires that all user names and email addresses for your users are non-NULL and unique.
Relevant content
- asked 6 months ago
- asked 3 months ago
- asked 7 days ago
- asked a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Good Point. I did check the SCP and found nothing that would stop this user from using the console. I created another test account and tried a different permission set (Support User) and I receive the same error for that test account.
Do these permission sets, by default, not allow users to use the console and I have to add the permission to the policy?
This was very helpful as it allowed me to perform the process of elimination and confirm that it was not my SCP. Thanks for the troubleshooting tip.