AccessDeniedException: Failed to fetch IDC user from token Error when using PredictQAResults

Q&A
, , ,
1

Hello community,

I am developing a Node.js application where I want to use the PredictQAResults method from Quick Sight Q. To authenticate users, I am using Amazon Cognito (User Pool + Identity Pool), and then I initialize the Quick Sight client with fromCognitoIdentityPool from the AWS SDK.

My current flow:

  1. The user authenticates via Cognito User Pool.
  2. I get the idToken from a successful login.
  3. I create the credentials using fromCognitoIdentityPool like this:
const credentials = fromCognitoIdentityPool({
  client: new CognitoIdentityClient({ region: "us-east-1" }),
  identityPoolId: "us-east-1:xxxx-xxxx-xxxx-xxxx",  // My Identity Pool ID
  logins: {
    "cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxx": idToken,  // idToken obtained from Cognito
  },
});
  1. I initialize the Quick Sight client with the Cognito credentials:
const qsClient = new Quick SightClient({
  region: "us-east-1",
  credentials,
});
  1. Then, I call the PredictQAResultsCommand:
qsClient.send(
  new PredictQAResultsCommand({
    AwsAccountId: "xxxxxxxxxxx",  // My AWS account ID
    QueryText: "sales per month",  // Sample query
    IncludeQuick SightQIndex: "INCLUDE",
    IncludeGeneratedAnswer: "INCLUDE",
    MaxTopicsToConsider: 1,
  })
).then((data) => {
  console.log("Success - PredictQAResultsCommand", data);
}).catch((error) => {
  console.log("Error", error);
});

The error I receive is the following:
AccessDeniedException: Failed to fetch IDC user from token

What I have already verified:

  1. The role assigned in the Identity Pool has the necessary permissions:
  • quicksight:PredictQAResults
  • quicksight:DescribeUser
  • Other necessary permissions for interacting with Quick Sight

Example of the policy attached to the role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cognito-identity:GetCredentialsForIdentity",
        "quicksight:PredictQAResults",
        "quicksight:DescribeUser",
        "quicksight:GenerateEmbedUrlForRegisteredUser",
        "quicksight:ListUsers",
        "quicksight:SearchUsers",
        "quicksight:ListDashboards",
        "quicksight:ListDataSources",
        "quicksight:SearchGroups",
        "quicksight:UpdateQuick SightQSearchConfiguration",
        "quicksight:DescribeQuick SightQSearchConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Resource": "*"
    }
  ]
}

The trust relationship of the role includes the following:

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
        "StringEquals": {
            "cognito-identity.amazonaws.com:aud": "us-east-1:xxxx-xxxx-xxxx-xxxx"
        },
        "ForAnyValue:StringLike": {
            "cognito-identity.amazonaws.com:amr": "authenticated"
        }
        }
    },
    {
        "Effect": "Allow",
        "Principal": {
        "Service": "quicksight.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
    ]
}

The user is correctly registered in Quick Sight

  • The federated user appears in the list of Quick Sight users (ListUsers).
  • The user has the ADMIN PRO role in Quick Sight.
  • Quick Sight Q is enabled.

So my question is: Is there any limitation or additional configuration I need to consider when using this method?

I appreciate any help or suggestions to resolve this issue.

Thanks in advance!

2

Resolving “Failed to fetch IDC user from token” Error with Quick Sight Q and Cognito Authentication

The “Failed to fetch IDC user from token” error occurs because Quick Sight requires proper identity mapping between your Cognito users and Quick Sight users. When using federated identity with Quick Sight Q, you need to ensure the user’s identity is correctly registered in Quick Sight with the same namespace as the identity provider.

The error indicates that Quick Sight cannot associate the Cognito token with a valid Quick Sight user. This typically happens because:

  1. The identity namespace in Quick Sight doesn’t match the Cognito identity provider namespace
  2. The user registration in Quick Sight doesn’t properly map to the Cognito identity

Missing User Registration Step
When a user authenticates through Cognito, Quick Sight expects to find a corresponding user in its system. The error suggests this mapping is missing or incorrect.

  1. Register the User in Quick Sight with the Correct Identity Type
    You need to explicitly register the Cognito user in Quick Sight using the RegisterUser API with the correct identity type:
const registerUserParams = {
  AwsAccountId: "xxxxxxxxxxx",
  IdentityType: "IAM_IDENTITY_CENTER", // This is crucial for federated identities
  Namespace: "default", // Use your Quick Sight namespace
  UserRole: "ADMIN", // Or appropriate role
  Email: userEmail,
  // For federated identities, include:
  IamArn: "arn:aws:iam::xxxxxxxxxxx:role/your-identity-pool-role"
};

await quickSightClient.send(new RegisterUserCommand(registerUserParams));

2. Modify Your Authentication Flow

Update your authentication flow to include the proper identity mapping:

// After successful Cognito authentication
const credentials = fromCognitoIdentityPool({
  clientConfig: { region: "us-east-1" }, // Use clientConfig instead of client
  identityPoolId: "us-east-1:xxxx-xxxx-xxxx-xxxx",
  logins: {
    "cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxx": idToken,
  },
});

// Initialize Quick Sight client with these credentials
const qsClient = new Quick SightClient({
  region: "us-east-1",
  credentials,
});

Note the use of clientConfig instead of client which aligns with the AWS SDK v3 documentation .

  1. Update IAM Role Configuration

Ensure your IAM role has the necessary permissions for identity center operations:

{
  "Effect": "Allow",
  "Action": [
    "quicksight:RegisterUser",
    "sso:*",
    "identitystore:*"
  ],
  "Resource": "*"
}
  1. Configure Quick Sight Identity Propagation

Quick Sight needs to be configured to accept identities from your Cognito user pool. This requires administrative setup in the Quick Sight console or via API.

Additional Configuration Checks

  1. Verify User Namespace: Ensure the namespace in Quick Sight matches what’s expected from Cognito federation.

  2. Check Identity Mapping: Use the Quick Sight DescribeUser API to verify how the user is registered:

const describeUserParams = {
  AwsAccountId: "xxxxxxxxxxx",
  Namespace: "default",
  UserName: "cognito-user-identifier" // This should match how the user is registered
};

const userDetails = await qsClient.send(new DescribeUserCommand(describeUserParams));
console.log("User details:", userDetails);
  1. Enable Debug Logging: Add detailed logging to track the authentication flow:
const credentials = fromCognitoIdentityPool({
  clientConfig: { region: "us-east-1" },
  identityPoolId: "us-east-1:xxxx-xxxx-xxxx-xxxx",
  logins: {
    "cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxx": idToken,
  },
});

// Log the identity ID
credentials.getPromise().then(creds => {
  console.log("Identity ID:", creds.identityId);
}).catch(err => {
  console.error("Error getting credentials:", err);
});
3

Hello @Maribelrb, since we have not heard back from you, I will mark @murili’s response as the solution. Please let us know if you have any further questions on the process, and we can help guide you further. Thank you!