Individuals in my organization get an "External Login is Unauthorized" message when they try to access Amazon QuickSight
Intended audience: Amazon QuickSight administrators |
When an individual in your organization is federating into Amazon QuickSight using AssumeRoleWithWebIdentity, QuickSight maps a single role-based user to a single external login. In some cases, that individual might be authenticated through an external login (such as Amazon Cognito) that's different from the originally mapped user. If so, they can't access QuickSight and get the following unexpected error message.
The external login used for federation is unauthorized for the QuickSight user.
To learn how to troubleshoot this issue, see the following sections:
Why is this happening?
You are using a simplified Amazon Cognito flow
If you're using Amazon Cognito to federate into QuickSight, the single sign-on (IAM Identity Center) setup
might use the CognitoIdentityCredentials
API operation to
assume the QuickSight role. This method maps all users in the Amazon Cognito
identity pool to a single QuickSight user and isn't supported by
Amazon QuickSight.
We recommend that you use the AssumeRoleWithWebIdentity
API operation
instead, which specifies the role session name.
You're using unauthenticated Amazon Cognito users
Amazon Cognito IAM Identity Center is set up for unauthenticated users in the Amazon Cognito identity pool. The QuickSight role trust policy is set up like the following example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-west-2:cognito-pool-id" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] }
This setup allows a temporary Amazon Cognito user to assume a role session mapped to a unique QuickSight user. Because unauthenticated identities are temporary, they aren't supported by QuickSight.
We recommend that you don't use this setup, which setup isn't supported by Amazon QuickSight. For Amazon QuickSight, make sure that the Amazon Cognito IAM Identity Center uses authenticated users.
You deleted and recreated an Amazon Cognito user with the same user name attributes
In this case, the associated Amazon Cognito user that's mapped to the Amazon QuickSight user was deleted and recreated. The newly created Amazon Cognito user has a different underlying subject. Depending on how the role session name is mapped to the QuickSight user, the session name might correspond to the same QuickSight role-based user.
We recommend that you remap the QuickSight user to the updated Amazon Cognito user subject by
using the UpdateUser
API operation. For more information, see
the following UpdateUser API example.
You're mapping multiple Amazon Cognito user pools in different Amazon Web Services accounts to one identity pool and with QuickSight
Mapping multiple Amazon Cognito user pools in different Amazon Web Services accounts to one identity pool and QuickSight isn't supported by Amazon QuickSight.
How can I fix it?
You can use QuickSight public API operations to update the external login information for your users. Use the following options to learn how.
Use RegisterUser to create users with external login information
If the external login provider is Amazon Cognito, use the following CLI code to create users.
aws quicksight register-user --aws-account-id
account-id
--namespacenamespace
--emailuser-email
--user-roleuser-role
--identity-type IAM --iam-arn arn:aws-cn:iam::account-id
:role/cognito-associated-iam-role
--session-namecognito-username
--external-login-federation-provider-type COGNITO --external-login-idcognito-identity-id
--regionidentity-region
The external-login-id
should be the identity ID for the Amazon Cognito user. The
format is <identity-region>:<cognito-user-sub>
, as shown in the following example.
aws quicksight register-user --aws-account-id 111222333 --namespace default --email cognito-user@amazon.com --user-role ADMIN --identity-type IAM --iam-arn arn:aws-cn:iam::111222333:role/CognitoQuickSightRole --session-name cognito-user --external-login-federation-provider-type COGNITO --external-login-id us-east-1:12345678-1234-1234-abc1-a1b1234567 --region us-east-1
If the external login provider is a custom OpenID Connect (OIDC) provider, use the following CLI code to create users.
aws quicksight register-user --aws-account-id
account-id
--namespacenamespace
--emailuser-email
--user-roleuser-role
--identity-type IAM --iam-arn arn:aws-cn:iam::account-id
:role/identity-provider-associated-iam-role
--session-nameidentity-username
--external-login-federation-provider-type CUSTOM_OIDC --custom-federation-provider-urlcustom-identity-provider-url
--external-login-idcustom-provider-identity-id
--regionidentity-region
The following is an example.
aws quicksight register-user --aws-account-id 111222333 --namespace default --email identity-user@amazon.com --user-role ADMIN --identity-type IAM --iam-arn arn:aws-cn:iam::111222333:role/CustomIdentityQuickSightRole --session-name identity-user --external-login-federation-provider-type CUSTOM_OIDC --custom-federation-provider-url idp.us-east-1.amazonaws.com/us-east-1_ABCDE --external-login-id 12345678-1234-1234-abc1-a1b1234567 --region us-east-1
To learn more about using RegisterUser
in the CLI, see
RegisterUser in the Amazon QuickSight API Reference.
Use DescribeUser to check external login information for users
If a user is a role-based federated user from an external login provider, use the
DescribeUser
API operation to check the external login information for it, as shown in the following code.
aws quicksight describe-user --aws-account-id
account-id
--namespacenamespace
--user-nameidentity-provider-associated-iam-role
/identity-username
--regionidentity-region
The following is an example.
aws quicksight describe-user --aws-account-id 111222333 --namespace default --user-name IdentityQuickSightRole/user --region us-west-2
The result contains the external login information fields if there are any. Following is an example.
{ "Status": 200, "User": { "Arn": "arn:aws-cn:quicksight:us-east-1:111222333:user-default-IdentityQuickSightRole-user", "UserName": "IdentityQuickSightRole-user", "Email": "user@amazon.com", "Role": "ADMIN", "IdentityType": "IAM", "Active": true, "PrincipalId": "federated-iam-AROAAAAAAAAAAAAAA:user", "ExternalLoginFederationProviderType": "COGNITO", "ExternalLoginFederationProviderUrl": "cognito-identity.amazonaws.com", "ExternalLoginId": "us-east-1:123abc-1234-123a-b123-12345678a" }, "RequestId": "12345678-1234-1234-abc1-a1b1234567" }
To learn more about using DescribeUser
in the CLI, see DescribeUser in the Amazon QuickSight API Reference.
Use UpdateUser to update external login information for users
In some cases, you might find that the external login information saved for the user from
the DescribeUser
result isn't correct or the external login
information is missing. If so, you can use the UpdateUser
API
operation to update it. Use the following examples.
For Amazon Cognito users, use the following.
aws quicksight update-user --aws-account-id
account-id
--namespacenamespace
--user-namecognito-associated-iam-role
/cognito-username
--emailuser-email
--roleuser-role
--external-login-federation-provider-type COGNITO --external-login-idcognito-identity-id
--regionidentity-region
The following is an example.
aws quicksight update-user --aws-account-id 111222333 --namespace default --user-name CognitoQuickSightRole/cognito-user --email cognito-user@amazon.com --role ADMIN --external-login-federation-provider-type COGNITO --external-login-id us-east-1:12345678-1234-1234-abc1-a1b1234567 --region us-west-2
For custom OIDC provider users, use the following.
aws quicksight update-user --aws-account-id
account-id
--namespacenamespace
--user-nameidentity-provider-associated-iam-role
/identity-username
--emailuser-email
--roleuser-role
--external-login-federation-provider-type CUSTOM_OIDC --custom-federation-provider-urlcustom-identity-provider-url
--external-login-idcustom-provider-identity-id
--regionidentity-region
The following is an example.
aws quicksight update-user --aws-account-id 111222333 --namespace default --user-name IdentityQuickSightRole/user --email user@amazon.com --role ADMIN --external-login-federation-provider-type CUSTOM_OIDC --custom-federation-provider-url idp.us-east-1.amazonaws.com/us-east-1_ABCDE --external-login-id 123abc-1234-123a-b123-12345678a --region us-west-2
If you want to delete the external login information for the user, use NONE
external login federation provider type
. Use the following CLI command to delete external login information.
aws quicksight update-user --aws-account-id
account-id
--namespacenamespace
--user-nameidentity-provider-associated-iam-role
/identity-username
--emailuser-email
--roleuser-role
--external-login-federation-provider-type NONE --regionidentity-region
The following is an example.
aws quicksight update-user --aws-account-id 111222333 --namespace default --user-name CognitoQuickSightRole/cognito-user --email cognito-user@amazon.com --role ADMIN --external-login-federation-provider-type NONE --region us-west-2
To learn more about using UpdateUser
in the CLI, see the UpdateUser in the Amazon QuickSight API Reference.