Cognito users cannot access Quicksight

eppercan · March 24, 2022, 8:26pm

I am trying to set up access to Quicksight via Cognito, but every time that I redirect a user using a sign in link, I get this error

“The external login used for federation is unauthorized for this QuickSight User.
Please refer to this page for help”

I have followed the directions in the link, but I have made no progress. Here is what the config for one of my users looks like:

$ aws quicksight describe-user --aws-account-id 732958832353 --namespace default --user-name QuicksightCognitoUsersSta-QSWebIdentityRole00A6161-Y1GN3HNB3V80/test6
{
    "Status": 200,
    "User": {
        "Arn": "arn:aws:quicksight:us-west-2:732958832353:user/default/QuicksightCognitoUsersSta-QSWebIdentityRole00A6161-Y1GN3HNB3V80/test6",
        "UserName": "QuicksightCognitoUsersSta-QSWebIdentityRole00A6161-Y1GN3HNB3V80/test6",
        "Email": "eppercan@amazon.com",
        "Role": "ADMIN",
        "IdentityType": "IAM",
        "Active": true,
        "PrincipalId": "federated/iam/AROA2VJ6AG3Q2YED6EUE2:test6",
        "ExternalLoginFederationProviderType": "COGNITO",
        "ExternalLoginFederationProviderUrl": "cognito-identity.amazonaws.com",
        "ExternalLoginId": "us-west-2:d978014a-944b-4324-8607-8f327f7c386d"
    },
    "RequestId": "1317f09a-5d0b-4178-8df6-7dc8a85ab01f"
}

How can I solve this problem and authorize the external login?

agmayan · March 28, 2022, 9:58pm

Hi,

Please try by leaving the field ExternalLoginId blank. That would reset which Cognito user the QS user is mapped to.

Or, if you can find the Cognito user to map to this user via the Cognito list user api. list-users — AWS CLI 1.22.80 Command Reference

Thanks

eppercan · March 29, 2022, 4:45pm

I can’t leave ExternalLoginId blank because it results in this error:

InvalidParameterValueException: An error occurred (InvalidParameterValueException) when calling the RegisterUser operation: ExternalLoginFederationProviderType and ExternalLoginId should be provided together.

What are you saying in the second half of your answer. I have admin access to the account I am using, so yes I can find the Cognito users.

eppercan · March 30, 2022, 5:42pm

I’ve figured this out with some help from the Quicksight team.

There were two problems:

The COGNITO option for the ExternalLoginFederationProviderType parameter in the register_user SDK call seems to be broken. Instead of automatically setting the CustomFederationProviderUrl parameter to something like cognito-idp.us-west-2.amazonaws.com/us-west-2_VTyD3lDhH, it always sets it to cognito-identity.amazonaws.com which does not work. To fix this, I used ‘CUSTOM_OIDC’ as the ExternalLoginFederationProviderType and manually set the CustomFederationProviderUrl parameter.
I originally used something like us-east-1:123abc-1234-123a-b123-12345678a for the ExternalLoginId parameter in the register_user SDK call as described here. That documentation is wrong, and it is supposed to look like 123abc-1234-123a-b123-12345678a.

agmayan · March 30, 2022, 6:02pm

Seems like your issue is fixed and there were errors in documentation. Sorry, for the trouble. We will make sure to update the documentation. Appreciate your help and input.