Troubleshooting

Error

[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that the AWS Management Account ID is correctly configured. [ Error details ] Management Account ID must be configured when "Manage All Accounts" is checked or AWS organization entities needs to be managed.

For IAMRole Authentication, if Manage All Accounts is selected or if the included AWS Account IDs are mentioned, then the test connection fails.

Resolution: Provide 'Management Account ID' on the configuration settings page (Management Account ID is root AWS Account ID).

Error

[ InsufficientPermissionException ] [ Possible suggestions ] Service account must be present in management account with the required permissions. [ Error details ] Test Connection Failed: You don't have permissions to access this resource. (Service: AWSOrganizations; Status Code: 400; Error Code: AccessDeniedException; Request ID: <actual alpha-numerical request ID>)

If Manage All Accounts is selected, and the service account is in any of the member AWS accounts, test connection fails.

Resolution: Ensure the service account is created in the management AWS account with required permissions.

Error

[InsufficientPermissionException] [Possible suggestions] Service account must be present in the management account with the required permissions. [Error details] Test Connection Failed: You don't have permissions to access this resource. (Service: AWSOrganizations; Status Code: 400; Error Code: AccessDeniedException; Request ID: 65fc15e5-7e90-11e8-9d6a-6fc388fd2d28)

If Service user is in Member AWS account, Test Connection fails.

Resolution: Ensure that the service user is created in the management account with required permission to manage organization entities.
If you do not want to manage the Organization entities, remove them from schema.

Error

When configuring a new Amazon Web Services source, the Test Connection fails with the following error message:
sailpoint.connector.ConnectionFailedException: [ ConnectionFailedException ] [ Error details ] Your account is not a member of an organization. (Service: AWSOrganizations; Status Code: 400; Error Code: AWSOrganizationsNotInUseException; Request ID: c8d77e54-ec98-11e8-b722-bb0efb7fc919)

If Service user is in Member AWS account, Test Connection fails.

Resolution: Ensure that the AWS Account is a member of the AWS Organization which must be managed.

Error

For the upgraded sources, if multiple group objects are configured, work item(s) got created while revoking associated AWS Managed Policies, Customer Managed Policies, and Inline Policies from the user through certification.

Resolution: Remove NO_PERMISSIONS_PROVISIONING from the feature string in Source XML.

Error

[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that the required role is created in the specified AWS accounts and the user has required permissions. [ Error details ] Test connection failed for accounts [list of AWS account IDs] Failure Reason=Access denied (Service: AWSSecurityTokenService)

If Manage All Accounts is selected, and the provided role is not present in any of the AWS accounts, then the test connection fails .

Exception during aggregation. Reason:openconnector.InvalidRequestException: Aggregation is failed for following AWS Account Ids: [comma separated list of accounts]

Aggregation fails

Resolution: Ensure the role is created in all the AWS Accounts with the same name and having sufficient permissions.

[ InvalidConfigurationException ] [ Error details ] "Include AWS Account IDs" must be empty if "Manage All Accounts" is checked.

Include AWS Account IDs is populated and the Manage All Accounts checkbox is selected.

Resolution: The Include AWS Account IDs list must be empty if the Manage All Accounts checkbox is selected .

[ InvalidConfigurationException ] [ Error details ] Either "Manage All Accounts" is checked (with or without "Exclude AWS Account IDs") or "Include AWS Account IDs" must be populated.

Exclude AWS Account Ids is populated and Manage All Accounts checkbox is not selected.

Resolution: Select the Manage All Accounts checkbox if Exclude AWS Account IDs is populated.

[ InvalidConfigurationException ] [ Error details ] Either "Manage All Accounts" is checked (with or without "Exclude AWS Account IDs") or "Include AWS Account IDs" must be populated.

Manage All Accounts is not selected and both the Include AWS Account IDs list and Exclude AWS Account IDs list are empty.

Resolution: Either Manage All Accounts (with or without Exclude AWS Account IDs) or Include AWS Account IDs must be populated.

sailpoint.connector.ConnectorException: Invalid provisioning request. Attribute AWS Account does not match the entitlement requested : arn:aws:iam::<AWS Account ID>:group/<IAM Group Name>

If the IAM groups present in access profile do not belong to the AWS Account in which the IAM User needs to be created, then create account or add entitlement fails.

Resolution: Ensure that the access profile contains the IAM Groups as entitlements of the same AWS Account in which the IAM User needs to be created.

java.lang.RuntimeException: java.lang.InterruptedException: Timeout waiting for response

Exception during aggregation. Reason: java.lang.RuntimeException: An error occurred while aggregating Application <Source Name> [source-<Source ID>]

You may see this error while performing account aggregation or entitlement aggregation.

Resolution: Set the aggregateTimeout attribute using the REST API. Enter the time-out value in milliseconds.

sailpoint.connector.ConnectorException: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: f56b8ec5-1e7e-11e9-bab1-d124100fa000)

Error while creating an account.

Resolution:Ensure that the Account ID or ARN of the AWS Account is correctly mentioned in the Account ID of the account attribute. For example:

arn:aws:organizations::441113549707:account/o-lqs5akk5dy/170915734915

sailpoint.connector.ConnectorException: Un-supported identity attribute for account

Resolution:The Account ID must be mapped with the ARN in the attribute schema.

Aggregation fails with the following error:

openconnector.ConnectionFailedException: [ ConnectionFailedException ] [ Error details ] Rate exceeded (Service: AmazonIdentityManagement; Status Code: 400; Error Code: Throttling; Request ID: <id>)]

Resolution: Configure the throttling and set a higher value as per the requirement and allowed API limit.

Exception during aggregation of Object Type InlinePolicy on Application AWSDemo1 [source]. Reason: java.lang.RuntimeException: An error occurred while aggregating Application 'ApplicationName' [source]

While performing Entitlement Aggregation when multiple group objects are supported.

Resolution:Set the aggregate_timeout attribute with a value in milliseconds (300, 1000) using the REST API.

POST <url>/cc/api/source/update/<sourceID>

<url> : The URL for the customer's Identity Security Cloud instance

<sourceID: The Source ID (number) obtained through the UI

In the body of the POST, use form-data as follows:

Key: connector_aggregateTimeout

Value: Enter the time-out value in milliseconds (300, 1000)

Confirmation: Search for the "aggregateTimeout" attribute using the endpoint

Error

Tags are not aggregated for Role after upgrade.

Resolution: Ensure updateRole provisioning policy is configured for the application with the Tags attribute ReadOnly='True'

<Field displayName="con_prov_policy_AWS_Role_Tags" helpKey="help_con_form_AWS_Role_Tags" name="Tags" reviewRequired="true" type="string">
        <Attributes>
            <Map>
              <entry key="readOnly" value="true"/>
            </Map>
          </Attributes>
        </Field>

The user inline policy creation does not support large JSON formats. The system displays the following error:

An unexpected error occurred: org.hibernate.exception.DataException: could not execute statement

Resolution: Complete one of the following:

• Split the policy JSON into smaller chunks of content.

• Create a group inline policy and attach that group to the user.