Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

Error

[InsufficientPermissionException] [Possible suggestions] Service account must be present in the management account with the required permissions. [Error details] Test Connection Failed: You don't have permissions to access this resource. (Service: AWSOrganizations; Status Code: 400; Error Code: AccessDeniedException; Request ID: 65fc15e5-7e90-11e8-9d6a-6fc388fd2d28)

If Service user is in Member AWS account, Test Connection fails.

Resolution: Ensure that the service user is created in the management account with required permission to manage organization entities.
If you do not want to manage the Organization entities, remove them from schema.

Error

When configuring a new Amazon Web Services source, the Test Connection fails with the following error message:
sailpoint.connector.ConnectionFailedException: [ ConnectionFailedException ] [ Error details ] Your account is not a member of an organization. (Service: AWSOrganizations; Status Code: 400; Error Code: AWSOrganizationsNotInUseException; Request ID: c8d77e54-ec98-11e8-b722-bb0efb7fc919)

If Service user is in Member AWS account, Test Connection fails.

Resolution: Ensure that the AWS Account is a member of the AWS Organization which must be managed.

Error

For the upgraded sources, if multiple group objects are configured, work item(s) got created while revoking associated AWS Managed Policies, Customer Managed Policies, and Inline Policies from the user through certification.

Resolution: Remove NO_PERMISSIONS_PROVISIONING from the feature string in Source XML.

Error

[ InvalidConfigurationException ] [ Possible suggestions ] Ensure that the required role is created in the specified AWS accounts and the user has required permissions. [ Error details ] Test connection failed for accounts [list of AWS account IDs] Failure Reason=Access denied (Service: AWSSecurityTokenService)

If Manage All Accounts is selected, and the provided role is not present in any of the AWS accounts, then the test connection fails .

Exception during aggregation. Reason:openconnector.InvalidRequestException: Aggregation is failed for following AWS Account Ids: [comma separated list of accounts]

Aggregation fails

Resolution: Ensure the role is created in all the AWS Accounts with the same name and having sufficient permissions.

sailpoint.connector.ConnectorException: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: f56b8ec5-1e7e-11e9-bab1-d124100fa000)

Error while creating an account.

Resolution:Ensure that the Account ID or ARN of the AWS Account is correctly mentioned in the Account ID of the account attribute. For example:

arn:aws:organizations::441113549707:account/o-lqs5akk5dy/170915734915

sailpoint.connector.ConnectorException: Un-supported identity attribute for account

Resolution:The Account ID must be mapped with the ARN in the attribute schema.

Aggregation fails with the following error:

openconnector.ConnectionFailedException: [ ConnectionFailedException ] [ Error details ] Rate exceeded (Service: AmazonIdentityManagement; Status Code: 400; Error Code: Throttling; Request ID: <id>)]

Resolution: Configure the throttling and set a higher value as per the requirement and allowed API limit.

Exception during aggregation of Object Type InlinePolicy on Application AWSDemo1 [source]. Reason: java.lang.RuntimeException: An error occurred while aggregating Application 'ApplicationName' [source]

While performing Entitlement Aggregation when multiple group objects are supported.

Resolution:Set the aggregate_timeout attribute with a value in milliseconds (300, 1000) using the REST API.

POST <url>/cc/api/source/update/<sourceID>

<url> : The URL for the customer's Identity Security Cloud instance

<sourceID: The Source ID (number) obtained through the UI

In the body of the POST, use form-data as follows:

Key: connector_aggregateTimeout

Value: Enter the time-out value in milliseconds (300, 1000)

Confirmation: Search for the "aggregateTimeout" attribute using the endpoint

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

Error

Tags are not aggregated for Role after upgrade.

Resolution: Ensure updateRole provisioning policy is configured for the application with the Tags attribute ReadOnly='True'

Copy 
<Field displayName="con_prov_policy_AWS_Role_Tags" helpKey="help_con_form_AWS_Role_Tags" name="Tags" reviewRequired="true" type="string">
        <Attributes>
            <Map>
              <entry key="readOnly" value="true"/>
            </Map>
          </Attributes>
        </Field>

Resolution: Utilize the API calls to increase the timeout value to 60 seconds:

PATCH https://{tenant}.api.identitynow.com/v3/sources/{id}

Content-Type: application/json-patch+json

Body:

Copy 
[
{
"op": "add",
"path": "/connectorAttributes/healthCheckTimeout",
"value": 60
}
]

Error: You don't have permissions to access this resource. (Service: AWSOrganizations; Status Code: 400; Error Code: AccessDeniedException; Request ID: a90d35bd-9832-4211-9e7a-1f966063b642; Proxy: null)

Resolution: The service account must be present in the management account with the required permissions.

Permissions should be: 

Copy 
{

    "Statement": [
        {
            "Action": [
                "iam:ListUsers",
                "iam:ListUserTags",
                "iam:ListUserPolicies",
                "iam:ListSigningCertificates",
                "iam:ListServiceSpecificCredentials",
                "iam:ListSSHPublicKeys",
                "iam:ListRoles",
                "iam:ListRoleTags",
                "iam:ListRolePolicies",
                "iam:ListPolicyTags",
                "iam:ListPolicies",
                "iam:ListMFADevices",
                "iam:ListGroupsForUser",
                "iam:ListGroups",
                "iam:ListGroupPolicies",
                "iam:ListEntitiesForPolicy",
                "iam:ListAttachedUserPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAccountAliases",
                "iam:ListAccessKeys",
                "iam:GetUserPolicy",
                "iam:GetUser",
                "iam:GetRolePolicy",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:GetLoginProfile",
                "iam:GetGroupPolicy",
                "iam:GetGroup",
                "iam:GetAccessKeyLastUsed"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "SPAggregationPolicy"
        },
        {
            "Action": [
                "organizations:ListTargetsForPolicy",
                "organizations:ListTagsForResource",
                "organizations:ListRoots",
                "organizations:ListPoliciesForTarget",
                "organizations:ListPolicies",
                "organizations:ListParents",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListAccountsForParent",
                "organizations:ListAccounts",
                "organizations:DescribePolicy",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribeOrganization",
                "organizations:DescribeAccount"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "SPOrganizationPolicy"
        }
    ],
    "Version": "2012-10-17"
}