Unable to open Opensearch Dashboard

[seano10]

Describe the bug
I may just be missing something obvious but when I click to go to the Opensearch Dashboards (which was previously working) I get the attached error.

To Reproduce
Can be reproduced every time by clicking on 'Opensearch Dashboards'

Expected behavior
I would expect it opened the Opensearch Dashboards correctly

Please complete the following information about the solution:
Version: 6.1.0
BuildDate: Wed Aug 28 2024 23:00:22 GMT

• Region: eu-west-2 (London)
• Was the solution modified from the version published on this repository? - NO
• If the answer to the previous question was yes, are the changes available on GitHub? - N/A
• Have you checked your service quotas for the services this solution uses? N/A
• Were there any errors in the CloudWatch Logs? - NO

Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context
I kind of understand what the error is saying but I am confused as it used to work and nothing external to the solution has changed that I am aware of.

[abhirpat]

Hi @seano10 , thank you for reporting this. What happens when after you click on 'Log in to OpenSearch Dashboards' button below 'Sorry!' emoji?

[seano10]

Hi @abhirpat , if I click the button below 'sorry' it asks for my credentials which I supply and then it gives the same error again

[abhirpat]

Thank you for that information. Could you please also try following steps?

1. Logout and clear cache or incognito mode in the browser. Open Content Designer > select the tools menu ( ☰ ) > click on OpenSearch Dashboard.
2. Also, please try latest version of QnABot v6.1.5. Because I noticed you are using v6.1.0 and I'd like to see if fixes in v6.1.2 help with this.

Also, is this default admin or a new admin that you have added? If new admin, is the admin part of admin group?

[seano10]

Thanks, I have tried (1), no luck I will have to try (2) in the morning as I need to knock off for the day now I'm afraid, thanks I will update further when I have tried. For (3) it is the default admin as setup when I deployed the version last time.

[seano10]

Hi @abhirpat I have upgraded to 6.1.5 but still get the same error... Also to confirm the Admin looks to have all the correct configuration as per the 'troubleshooting' link from the 'Sorry' error message that pops up.

[abhirpat]

Thank you @seano10 for validating that. Going back to the error, it seems that something has changed between identity pool and assigned IAM roles. In the post, you have mentioned that it was working before. Do you recall what changes you made before it stopped working? Were there any changes in the trust relationships of roles or modifications to the authentication?

[seano10]

Hi @abhirpat sorry for the slow reply, no I am not aware of any changes that were made to anything, certainly I made none and no one else has cause to be doing so. It is strange as if I check the identity pools and roles it all looks to be setup correctly.

[abhirpat]

Hi @seano10, this error typically occurs when there's a misconfiguration between Amazon Cognito and OpenSearch Dashboards, specifically related to IAM roles. I have tried to deploy few QnABot instances but unable to reproduce.

Here's how we can troubleshoot the issue. Please -

1. Navigate to IAM role ESCognitoRole's policy > AWSQnaBotESCognitoAccess policy. Please ensure this policy was not modified.
2. In the statement where there is cognito-idp:ListUserPoolClients. Please try adding cognito-idp:UpdateUserPoolClient
3. In statement where the action is "Action": "iam:PassRole", please try
   a. add "iam:GetRole" as an additional action
   b. add following resource arn:aws:iam::<account-id>:role/service-role/CognitoAccessForAmazonOpenSearch where <account-id> is the account id you need to substitute.

Here is the OpenSearch documentation for examples on how to policies can be set

Please let me know that resolves issue.

Thank you,
Abhishek

[seano10]

Thanks @abhirpat , assuming I have updated the above correctly (attached) this has had no effect, I still get the 'Sorry' message

[abhirpat]

Thanks for testing this @seano10. Could you please confirm if the error message in sorry page is still "Check IAM roles"? Also to confirm, you have tried to Login again in incognito (or clear browser cache ) to ensure it new session?

[seano10]

Thanks @abhirpat yes, cleared cache but also tried in cognito mode just in case, same error with each, looks like the same error as before:

[abhirpat]

Thanks @seano10 . I also deployed in eu-west-2 (your region) in addition to us-east-1 and us-west-2 but it's working on my end. Could you please try updating OpenSearchDashboardsRole > Trust RelationShip > add additional Condition?

      "ForAnyValue:StringLike": {
        "cognito-identity.amazonaws.com:amr": "authenticated"
      }

Also, please verify the trust relationship has correct information. Here_identity-pool-id_ is the value in Cognito > Identity Pools > OpenSearchDashboardsIdPool > Identity Pool ID

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "cognito-identity.amazonaws.com"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "cognito-identity.amazonaws.com:aud": "_identity-pool-id_"
      },
      "ForAnyValue:StringLike": {
        "cognito-identity.amazonaws.com:amr": "authenticated"
      }
    }
  }]
}

[seano10]

Hi @abhirpat sorry to say that even with the additional condition and having confirmed the trust relationship, still the same error :-(

[abhirpat]

Thank you for all your effort, Sean. It seems we will need to set up a troubleshooting session to investigate further. Could you please reach out to AWS support and request them to send your ticket to the QnABot team? Once we have your ticket, we can schedule a meeting to investigate further.