Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Giving user access to AWS Console via Identity Center
I'm having trouble getting a user access to the AWS Console via Identity Center (SSO). I assigned the specific user to the account via the Identity Center page. When the user logs into the SSO portal, they see the account, however, when they click on the "Management Console" link for their permission set (Network Administrator) they receive an error stating they have "No Access/403".
I checked the Cloudtrail logs and I see the request id with a return error of "Forbidden".
Am I missing something in the setup of the user in Identity Center?
This is the error from CloudTrail:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"principalId": "example.com//S-1-5-21-XXX-XXX-XXX-XXX",
"accountId": "111111111111",
"userName": "user1@example.com"
},
"eventTime": "1969-12-10T11:18:05Z",
"eventSource": "sso.amazonaws.com",
"eventName": "Federate",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"errorCode": "403",
"errorMessage": "Forbidden",
"requestParameters": null,
"responseElements": null,
"requestID": "1630XXXX-XXX-XXXX-XXXX-XXXXXXXX",
"eventID": "XXXXX-2359-XXXX-8ebe-XXXXX",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"role_name": "NetworkAdministrator",
"account_id": 222222222222"
},
"eventCategory": "Management"
}
- Newest
- Most votes
- Most comments
I reviewed the following troubleshooting guide and unfortunately it did not solve my issue. After some testing, I found out that the email address attribute, for my Active Directory user, was blank on my on-perm AD.
After filling in the email address attribute for my AD User and allowing Identity Center to sync, my user and test account were able to login successfully.
In this situation, you may need to view the individual account you applied the User/PermissionSet to and "re-provision" the permission set. There my have been an error assigning it to that account. The other issue may be that there is a control attached to that account that is preventing that user, or any user access to the account even though the IAM IC Service provisioned the permission set to the account. A SCP at the Management account level may be preventing anyone, any permission set, or group access to the account unless the resource ARN (or Principal) matches a certain pattern.
Good Point. I did check the SCP and found nothing that would stop this user from using the console. I created another test account and tried a different permission set (Support User) and I receive the same error for that test account.
Do these permission sets, by default, not allow users to use the console and I have to add the permission to the policy?
This was very helpful as it allowed me to perform the process of elimination and confirm that it was not my SCP. Thanks for the troubleshooting tip.
Very helpful. Thanks. This issue had stopped me for quite long time. I found the docs mentioning about this.
https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html
IAM Identity Center requires that all user names and email addresses for your users are non-NULL and unique.
Relevant content
- asked a year ago
AWS OFFICIALUpdated 2 years ago
Hello Robert, good afternoon!
I was doing a lab with AD Connector and it worked for login to the console with the console access link however with SSO I was logging in normally, but as you said when trying to access the console it wouldn't, I added the e field -mail and the same worked as you mentioned.
Thanks I spent a long time looking and there is nothing about this "Forbidden" error on AWS.