By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to open DataZone Data portal through associated AWS account

0

This documentation (https://docs.aws.amazon.com/datazone/latest/userguide/working-with-associated-accounts.html) states that associated AWS accounts can create DataZone projects. When trying to open the Data portal after associating my AWS account Acct1 with a domain for which the root AWS account is Acct2, I am unable to open the Data portal that is shown in the association with this Domain name. When clicking on the Data Portal url I am greeted with a JSON that reads "Invalid Request". Could someone let me know if there's some additional permission providing setup that needs to be done on the root account Acct2, so that I can login to Data portal and eventually create a Data project on DZ. Thanks!

Topics
Management & Governance
Tags
AWS Account Management
Language
English
rePost-User-3821842
asked a year ago564 views
1 Answer
0

https://docs.aws.amazon.com/datazone/latest/userguide/working-with-associated-accounts.html https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html https://docs.aws.amazon.com/datazone/latest/userguide/data-portal-permissions.html https://aws.amazon.com/datazone/faqs/

I have reviewed the above links here are a few things to consider:

Account Association: Ensure that both the root domain and the target associated account belong to the same AWS Organization. If the AWS accounts aren't part of the same AWS organization, the association request can't be initiated or accepted​1​. Keep in mind that an AWS account can only be associated with one root Amazon DataZone domain​.

Invalid Request Error: The "Invalid Request" JSON message you're seeing might be related to an authorization issue. AWS generates access denied errors when it either explicitly or implicitly denies an authorization request. This can happen when a policy contains a Deny statement for the specific AWS action or when there is no applicable Deny statement and also no applicable Allow statement. In case of implicit denial, the policy must explicitly allow the principal to perform an action​.

Access Permissions: You might need to check and update the permissions required to use the Amazon DataZone data portal. You can access the Amazon DataZone data portal using either your single sign-on (SSO) or AWS credentials from the same AWS account in which the root domain is created. To enable an IAM principal in the root domain account to access the data portal, attach the AmazonDataZonePortalFullAccessPolicy to the IAM principal​.

If you already have AWS IAM Identity Center enabled and configured in the same AWS Region where you have created your Amazon DataZone root domain, you can skip some steps. Once IAM Identity Center is enabled, all SSO users and groups can access the Amazon DataZone data portal web application using their existing SSO credentials, enabling users to access the Amazon DataZone data portal without IAM credentials​.

Amazon DataZone Portal and Domains: The Amazon DataZone portal is an integrated data experience that verifies existing credentials from your identity provider​. Domains in Amazon DataZone are collections of objects such as data assets, projects, associated AWS accounts, and data sources, and they help in organizing resources aligned to business-driven domains. They provide a scalable container for teams and related Amazon DataZone entities​.

profile picture
EXPERT
Sedat Salman
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content