Cognito users cannot access Quicksight

I am trying to set up access to Quicksight via Cognito, but every time that I redirect a user using a sign in link, I get this error

“The external login used for federation is unauthorized for this QuickSight User.
Please refer to this page for help”

I have followed the directions in the link, but I have made no progress. Here is what the config for one of my users looks like:

$ aws quicksight describe-user --aws-account-id 732958832353 --namespace default --user-name QuicksightCognitoUsersSta-QSWebIdentityRole00A6161-Y1GN3HNB3V80/test6
    "Status": 200,
    "User": {
        "Arn": "arn:aws:quicksight:us-west-2:732958832353:user/default/QuicksightCognitoUsersSta-QSWebIdentityRole00A6161-Y1GN3HNB3V80/test6",
        "UserName": "QuicksightCognitoUsersSta-QSWebIdentityRole00A6161-Y1GN3HNB3V80/test6",
        "Email": "",
        "Role": "ADMIN",
        "IdentityType": "IAM",
        "Active": true,
        "PrincipalId": "federated/iam/AROA2VJ6AG3Q2YED6EUE2:test6",
        "ExternalLoginFederationProviderType": "COGNITO",
        "ExternalLoginFederationProviderUrl": "",
        "ExternalLoginId": "us-west-2:d978014a-944b-4324-8607-8f327f7c386d"
    "RequestId": "1317f09a-5d0b-4178-8df6-7dc8a85ab01f"

How can I solve this problem and authorize the external login?


Please try by leaving the field ExternalLoginId blank. That would reset which Cognito user the QS user is mapped to.

Or, if you can find the Cognito user to map to this user via the Cognito list user api. list-users — AWS CLI 1.22.80 Command Reference


I can’t leave ExternalLoginId blank because it results in this error:

InvalidParameterValueException: An error occurred (InvalidParameterValueException) when calling the RegisterUser operation: ExternalLoginFederationProviderType and ExternalLoginId should be provided together.

What are you saying in the second half of your answer. I have admin access to the account I am using, so yes I can find the Cognito users.

I’ve figured this out with some help from the Quicksight team.

There were two problems:

  1. The COGNITO option for the ExternalLoginFederationProviderType parameter in the register_user SDK call seems to be broken. Instead of automatically setting the CustomFederationProviderUrl parameter to something like, it always sets it to which does not work. To fix this, I used ‘CUSTOM_OIDC’ as the ExternalLoginFederationProviderType and manually set the CustomFederationProviderUrl parameter.

  2. I originally used something like us-east-1:123abc-1234-123a-b123-12345678a for the ExternalLoginId parameter in the register_user SDK call as described here. That documentation is wrong, and it is supposed to look like 123abc-1234-123a-b123-12345678a.

Seems like your issue is fixed and there were errors in documentation. Sorry, for the trouble. We will make sure to update the documentation. Appreciate your help and input.