Cannot open IAM Identity Center / Region issue

2

I was following tutorials with links during setup. I enabled IAM Identity Center, created a few users, and onboarded them with MFA.

Now when I go to AWS console and try to navigate to IAM Identity Center, I get to the Getting Started page with Identity disabled. When I click the enable button, response is "An error occurred You have already registered another region".

Only then I realised Identity works only on a specific region, but since I used tutorial links I don't know the region in which it's created.

I want to disable it and start all over, but cannot disable.

Side note: I also used plain IAM, and can still use it. When I navigate to IAM I end up in us-east-1 (https://us-east-1.console.aws.amazon.com/iam/home?region=eu-north-1#/home) even though my AWS Console is in eu-north-1. Is this okay? I can use CLI using IAM Secrets, so looks fine, ut I don't want to run into issues in the future.

5 Answers
0

Hello.

You can identify this by opening the IAM Identity Center console for each region.

Side note: I also used plain IAM, and can still use it. When I navigate to IAM I end up in us-east-1 (https://us-east-1.console.aws.amazon.com/iam/home?region=eu-north-1#/home) even though my AWS Console is in eu-north-1. Is this okay?

Yes, this is normal.

profile picture
EXPERT
answered 4 months ago
  • Alternatively, you can run the shell script below to find out which region it is set in.

    #!/bin/bash
    
    regions=$(aws ec2 describe-regions --query "Regions[*].RegionName" --output text)
    
    for region in $regions; do
            echo "Executing in region: $region"
            aws sso-admin list-instances --region "$region"
            echo "----------------------------------------"
    done
    

    If you are in a region where IAM Identity Center is configured, you can see the following response.

    {
        "Instances": [
            {
                "CreatedDate": "2022-04-16T12:59:49.118000+00:00",
                "IdentityStoreId": "d-xxxxxxxx",
                "InstanceArn": "arn:aws:sso:::instance/ssoins-7xxxxxxxxxxx",
                "OwnerAccountId": "111111111111",
                "Status": "ACTIVE"
            }
        ]
    }
    
  • Hi Riku, Using your script, eu-north-1 was where Identity was active. However, if I open https://eu-north-1.console.aws.amazon.com/singlesignon/home?region=eu-north-1 it still shows the "enable" button and when I click enable it gives the same error.

  • I tried to remove the eu-north-1 instance with CLI using root credentials aws sso-admin delete-instance --instance-arn arn:aws:sso:::instance/ssoins-6508492cb9c98300 but was not allowed:

    An error occurred (AccessDeniedException) when calling the DeleteInstance operation: User: arn:aws:iam::058264075590:root is not authorized to perform: sso:DeleteInstance on resource: arn:aws:sso:::instance/ssoins-6508492cb9c98300 because no resource-based policy allows the sso:DeleteInstance action
    
  • Is the AWS account you are trying to enable IAM Identity Center for an Organizations managed account?

  • Is there a way to delete Identity Center using AWS CLI?

0

They have a bug, After you create an organization, it will disable your previously configured IAM Identity Center. And you will not be able to enable it again, it will show the mentioned error.

ronenfe
answered 3 months ago
  • Thanks! It seems my case is this. So is there any way to walk around?

  • Thanks! It seems my case is this. So is there any way to walk around?

0

Thanks for the discussion. I am facing the exact same problem. Am new to learning AWS

  1. This is my personal account (free account).
  2. Created an user and a group on my IAM Identify center couple of days back.
  3. Since yesterday not able to navigate to my identify center. Same message.
  4. Checked in all the regions (one by one) but I am pretty sure I opened it on us-east-1. (checked my browser history) - same error message while clicking on Enable
  5. This is not an organisation managed acct (though I was planning to create one today)

Of course I can use IAM to create users and groups but was checking if their is a solution to my problem or not. thanks jaideep

Jaideep
answered 4 months ago
0

I have the exact same problem, and despite going through every single region to test to see which one my IAM Identity Center is under, I am unable to locate it.

answered 4 months ago
0

I faced the same problem when I created IAM for personal account, but had created organization after that.

Removing organization resolved the issue.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions