By using AWS re:Post, you agree to the Terms of Use
/Elasticsearch + Kibana + Cognito session error 403/

Elasticsearch + Kibana + Cognito session error 403

0

Hi folks,

we have created an Elasticsearch (version 7.10) cluster with Cognito enabled fined grained authentication for Kibana.

We have replicated (via terraform IaC) a configuration already present on another AWS account that is working fine.

In this new cluster we have Kibana session issues, for example when we click "Log out" in Kibana we got an 403 error (I'll post it at the end of my message as LOGOUT_ERROR).

Another error happens when the Cognito session token expires and we got another 403 error (another small snippet at the end of my message as LOGIN_ERROR).

We cannot see the Cognito login page if we don't remove the cookie in the browser (we tested different browsers).

Everything else is working fine: we are able to use Elasticsearch and Kibana with no other issues.

Since the error is originating from "AWSSecurityTokenService" (an interface in the AWS Java SDK) we smell this as a possible bug that we're not able to address on our side.

The fact that the Elasticsearch cluster is in eu-south-1 region and Cognito is in eu-west-1 could be an issue?

Can you please help us by pointing us to any resource that may help resolve this issue?

Regards

Marco

LOGOUT_ERROR

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="403 Forbidden">
    <title>Kibana Authentication Error</title>
    <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css ">
    <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css ">
    <script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js "></script>
    <script src="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js "></script>
    <style>
        body {
            padding-top: 20px;
        }
        .jumbotron {
            font-size: 21px;
            font-weight: 200;
            line-height: 2.1428571435;
            color: inherit;
            padding: 10px 0px;
        }
        .body-content {
            padding-left: 15px;
            padding-right: 15px;
        }
        .jumbotron {
            text-align: center;
            background-color: transparent;
        }
        .jumbotron .btn {
            font-size: 21px;
            padding: 14px 24px;
        }
        .blue {color:#00bfff;}
        .red {color:#d9534f;}
    </style>
</head>
<div class="container">
    <div class="jumbotron">
        <h1><i class="fa fa-frown-o red"></i> Sorry!</h1>
        <p class="lead">Something went wrong during authentication between Kibana and Amazon Cognito.</p>
        <p><a href="https://kibana.linkemswarm.com/_plugin/kibana " class="btn btn-default btn-lg"><span class="blue">Log in to Kibana</span></a> </p>
    </div>
</div>
<div class="container">
    <div class="body-content">
        <div class="row">
            <h2>What happened?</h2>
            <p>cognito:revoke_tokens:ErrorUser: x:x:x::xx:x is not authorized to perform: sts:AssumeRole on resource: x:x:x::xx:x (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 432dbf6a-126f-43f4-be02-69c3657b3016; Proxy: null)</p>
        </div>
        <div class="row">
            <h2>What should I do?</h2>
            <p>Try logging in again. If the problem persists, please review the <a href="https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html#es-cognito-auth-troubleshooting ">troubleshooting guide </a>for information on resolving common issues.</p>
        </div>
    </div>
</div>
</body>
</html>

END LOGOUT_ERROR

LOGIN_ERROR

...
            <h2>What happened?</h2>
            <p>com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: x:x:x::xx:x is not authorized to perform: sts:AssumeRole on resource: x:x:x::xx:x (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: d3bbebd3-a5ba-4406-9d75-5b78cd1c92bc; Proxy: null)</p>
...

END LOGIN_ERROR

1 Answers
0

We were able to fix this issue by adding a regional endpoint to the trust relationship policy of the Elasticsearch assumed role for Cognito:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "es.amazonaws.com",
                    "es.eu-south-1.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

So the fact that the Elasticsearch cluster is in eu-south-1 region and Cognito is in eu-west-1 is an issue!

I'm wondering if this is expected behaviour or it can be considered a bug....

Cheers!

Marco

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions