AccessDeniedException: Failed to fetch IDC user from token Error when using PredictQAResults

Question & Answer
, ,
1

Hello community,

I am developing a Node.js application where I want to use the PredictQAResults method from QuickSight Q. To authenticate users, I am using Amazon Cognito (User Pool + Identity Pool), and then I initialize the QuickSight client with fromCognitoIdentityPool from the AWS SDK.

My current flow:

  1. The user authenticates via Cognito User Pool.
  2. I get the idToken from a successful login.
  3. I create the credentials using fromCognitoIdentityPool like this:
const credentials = fromCognitoIdentityPool({
  client: new CognitoIdentityClient({ region: "us-east-1" }),
  identityPoolId: "us-east-1:xxxx-xxxx-xxxx-xxxx",  // My Identity Pool ID
  logins: {
    "cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxx": idToken,  // idToken obtained from Cognito
  },
});
  1. I initialize the QuickSight client with the Cognito credentials:
const qsClient = new QuickSightClient({
  region: "us-east-1",
  credentials,
});
  1. Then, I call the PredictQAResultsCommand:
qsClient.send(
  new PredictQAResultsCommand({
    AwsAccountId: "xxxxxxxxxxx",  // My AWS account ID
    QueryText: "sales per month",  // Sample query
    IncludeQuickSightQIndex: "INCLUDE",
    IncludeGeneratedAnswer: "INCLUDE",
    MaxTopicsToConsider: 1,
  })
).then((data) => {
  console.log("Success - PredictQAResultsCommand", data);
}).catch((error) => {
  console.log("Error", error);
});

The error I receive is the following:
AccessDeniedException: Failed to fetch IDC user from token

What I have already verified:

  1. The role assigned in the Identity Pool has the necessary permissions:
  • quicksight:PredictQAResults
  • quicksight:DescribeUser
  • Other necessary permissions for interacting with QuickSight

Example of the policy attached to the role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cognito-identity:GetCredentialsForIdentity",
        "quicksight:PredictQAResults",
        "quicksight:DescribeUser",
        "quicksight:GenerateEmbedUrlForRegisteredUser",
        "quicksight:ListUsers",
        "quicksight:SearchUsers",
        "quicksight:ListDashboards",
        "quicksight:ListDataSources",
        "quicksight:SearchGroups",
        "quicksight:UpdateQuickSightQSearchConfiguration",
        "quicksight:DescribeQuickSightQSearchConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Resource": "*"
    }
  ]
}

The trust relationship of the role includes the following:

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
        "StringEquals": {
            "cognito-identity.amazonaws.com:aud": "us-east-1:xxxx-xxxx-xxxx-xxxx"
        },
        "ForAnyValue:StringLike": {
            "cognito-identity.amazonaws.com:amr": "authenticated"
        }
        }
    },
    {
        "Effect": "Allow",
        "Principal": {
        "Service": "quicksight.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
    ]
}

The user is correctly registered in QuickSight

  • The federated user appears in the list of QuickSight users (ListUsers).
  • The user has the ADMIN PRO role in QuickSight.
  • QuickSight Q is enabled.

So my question is: Is there any limitation or additional configuration I need to consider when using this method?

I appreciate any help or suggestions to resolve this issue.

Thanks in advance!

2

Resolving “Failed to fetch IDC user from token” Error with QuickSight Q and Cognito Authentication

The “Failed to fetch IDC user from token” error occurs because QuickSight requires proper identity mapping between your Cognito users and QuickSight users. When using federated identity with QuickSight Q, you need to ensure the user’s identity is correctly registered in QuickSight with the same namespace as the identity provider.

The error indicates that QuickSight cannot associate the Cognito token with a valid QuickSight user. This typically happens because:

  1. The identity namespace in QuickSight doesn’t match the Cognito identity provider namespace
  2. The user registration in QuickSight doesn’t properly map to the Cognito identity

Missing User Registration Step
When a user authenticates through Cognito, QuickSight expects to find a corresponding user in its system. The error suggests this mapping is missing or incorrect.

  1. Register the User in QuickSight with the Correct Identity Type
    You need to explicitly register the Cognito user in QuickSight using the RegisterUser API with the correct identity type:
const registerUserParams = {
  AwsAccountId: "xxxxxxxxxxx",
  IdentityType: "IAM_IDENTITY_CENTER", // This is crucial for federated identities
  Namespace: "default", // Use your QuickSight namespace
  UserRole: "ADMIN", // Or appropriate role
  Email: userEmail,
  // For federated identities, include:
  IamArn: "arn:aws:iam::xxxxxxxxxxx:role/your-identity-pool-role"
};

await quickSightClient.send(new RegisterUserCommand(registerUserParams));

2. Modify Your Authentication Flow

Update your authentication flow to include the proper identity mapping:

// After successful Cognito authentication
const credentials = fromCognitoIdentityPool({
  clientConfig: { region: "us-east-1" }, // Use clientConfig instead of client
  identityPoolId: "us-east-1:xxxx-xxxx-xxxx-xxxx",
  logins: {
    "cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxx": idToken,
  },
});

// Initialize QuickSight client with these credentials
const qsClient = new QuickSightClient({
  region: "us-east-1",
  credentials,
});

Note the use of clientConfig instead of client which aligns with the AWS SDK v3 documentation .

  1. Update IAM Role Configuration

Ensure your IAM role has the necessary permissions for identity center operations:

{
  "Effect": "Allow",
  "Action": [
    "quicksight:RegisterUser",
    "sso:*",
    "identitystore:*"
  ],
  "Resource": "*"
}
  1. Configure QuickSight Identity Propagation

QuickSight needs to be configured to accept identities from your Cognito user pool. This requires administrative setup in the QuickSight console or via API.

Additional Configuration Checks

  1. Verify User Namespace: Ensure the namespace in QuickSight matches what’s expected from Cognito federation.

  2. Check Identity Mapping: Use the QuickSight DescribeUser API to verify how the user is registered:

const describeUserParams = {
  AwsAccountId: "xxxxxxxxxxx",
  Namespace: "default",
  UserName: "cognito-user-identifier" // This should match how the user is registered
};

const userDetails = await qsClient.send(new DescribeUserCommand(describeUserParams));
console.log("User details:", userDetails);
  1. Enable Debug Logging: Add detailed logging to track the authentication flow:
const credentials = fromCognitoIdentityPool({
  clientConfig: { region: "us-east-1" },
  identityPoolId: "us-east-1:xxxx-xxxx-xxxx-xxxx",
  logins: {
    "cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxx": idToken,
  },
});

// Log the identity ID
credentials.getPromise().then(creds => {
  console.log("Identity ID:", creds.identityId);
}).catch(err => {
  console.error("Error getting credentials:", err);
});
1 Like
3

Hello @Maribelrb, since we have not heard back from you, I will mark @murili’s response as the solution. Please let us know if you have any further questions on the process, and we can help guide you further. Thank you!