By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Giving user access to AWS Console via Identity Center

0

I'm having trouble getting a user access to the AWS Console via Identity Center (SSO). I assigned the specific user to the account via the Identity Center page. When the user logs into the SSO portal, they see the account, however, when they click on the "Management Console" link for their permission set (Network Administrator) they receive an error stating they have "No Access/403".

I checked the Cloudtrail logs and I see the request id with a return error of "Forbidden".

Am I missing something in the setup of the user in Identity Center?

This is the error from CloudTrail:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "example.com//S-1-5-21-XXX-XXX-XXX-XXX",
        "accountId": "111111111111",
        "userName": "user1@example.com"
    },
    "eventTime": "1969-12-10T11:18:05Z",
    "eventSource": "sso.amazonaws.com",
    "eventName": "Federate",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "111.111.111.111",
    "errorCode": "403",
    "errorMessage": "Forbidden",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "1630XXXX-XXX-XXXX-XXXX-XXXXXXXX",
    "eventID": "XXXXX-2359-XXXX-8ebe-XXXXX",
    "readOnly": false,
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "111111111111",
    "serviceEventDetails": {
        "role_name": "NetworkAdministrator",
        "account_id": 222222222222"
    },
    "eventCategory": "Management"
}
Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS IAM Identity Center
Language
English
profile picture
Robert Thompson
asked 4 months ago195 views
3 Answers
1
Accepted Answer

I reviewed the following troubleshooting guide and unfortunately it did not solve my issue. After some testing, I found out that the email address attribute, for my Active Directory user, was blank on my on-perm AD.

After filling in the email address attribute for my AD User and allowing Identity Center to sync, my user and test account were able to login successfully.

profile picture
Robert Thompson
answered 4 months ago
1

In this situation, you may need to view the individual account you applied the User/PermissionSet to and "re-provision" the permission set. There my have been an error assigning it to that account. The other issue may be that there is a control attached to that account that is preventing that user, or any user access to the account even though the IAM IC Service provisioned the permission set to the account. A SCP at the Management account level may be preventing anyone, any permission set, or group access to the account unless the resource ARN (or Principal) matches a certain pattern.

profile picture
Ross Wickman
answered 4 months ago
  • Robert Thompson 4 months ago

    Good Point. I did check the SCP and found nothing that would stop this user from using the console. I created another test account and tried a different permission set (Support User) and I receive the same error for that test account.

    Do these permission sets, by default, not allow users to use the console and I have to add the permission to the policy?

  • Robert Thompson 4 months ago

    This was very helpful as it allowed me to perform the process of elimination and confirm that it was not my SCP. Thanks for the troubleshooting tip.

0

Very helpful. Thanks. This issue had stopped me for quite long time. I found the docs mentioning about this.

https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html

IAM Identity Center requires that all user names and email addresses for your users are non-NULL and unique.
profile picture
AWS
Neo Wang
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content