Skip to content

docs: ✏️ update guidance for AWS SSO debugging #6825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Steve Williams (sj-williams) wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: ✏️ update guidance for AWS SSO debugging #6825

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions runbooks/source/debugging-aws-console-access.html.md.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: Debugging AWS Console read-only access issues
weight: 8605
last_reviewed_on: 2024-08-07
last_reviewed_on: 2025-02-14
review_in: 6 months
---

Expand All @@ -20,7 +20,15 @@ Unable to validate tags (Service: AWSSecurityToken; Status Code: 400; Error Code
The cause of this issue has frequently been identified as a result of a user belonging to enough GitHub teams (or those with especially long names) that result in the total
length of the Principal Tag exceeding the 256 character limit, as documented [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)

In order to confirm whether this is the cause, request the user to grab a SAML response from their browser session by following the steps provided in [this link](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml_view-saml-response.html)
## Mitigation

We now have a service running in the cluster which should alleviate this issue to a degree. [This service](https://github.com/ministryofjustice/cloud-platform-github-teams-filter) works by checking the user's Github team membership against the teams registered via RBAC resources in the Cloud Platform namespaces. Any that aren't registered with the cluster are filtered out, reducing the total character count.

The following debugging steps are those that we have used until now to confirm the teams issue:

## Debugging

In order to confirm whether the character count issue is the cause of the error, request the user to grab a SAML response from their browser session by following the steps provided in [this link](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml_view-saml-response.html)

Ask the user to provide you with their base64 decoded SAML response, and check the character count for the contents of the `PrincipalTag:GithubTeam` tag.

Expand All @@ -35,5 +43,3 @@ $ printf ":github-team-1:github-team-2:" | wc -c
```

If the character count exceeds 256, you will need to ask the user to review their GitHub team membership, and remove themselves from any teams that are no longer required.

At this time, there is no other workaround for this issue.