Troubleshoot entitlement analysis

Learn how to troubleshoot entitlement analysis and discovery issues for new and existing jobs.

Error message	Possible resolution
failed to discover aws rds resources, for analysis ID xxxxxx with connection ID xxxxx in Team xxxx, error: error paginating list of RDS DB instances for account xxxxx and region af-south-1: operation error RDS: DescribeDBInstances failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: xxxxx, api error AccessDenied: User: arn:aws:sts::xxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxx:role/OktaPAMResourcesReadOnlyRole	Ensure that the fixed role in each AWS member account is configured with a trust policy that includes the External ID of the Okta AWS account that was used to connect to your management AWS account. Also, the trust policy principal should refer to the ARN of the integration role in your AWS management account. Verify that you have attached a policy to the integration role that contains the correct ARN of the OktaPAMResourcesReadOnly role in all your member accounts.
failed to build aws client with role: arn:aws:iam::XXXXX:role/XXXXX and externalId: XXXXX for the Team: XXXXXX	Verify that the integration role is configured with the correct External ID from the Okta Privileged Access connection setup screen.
failed to discover aws rds resources, for analysis ID xxxx with connection ID xxxx in Team xxx, error: error paginating list of RDS DB instances for account xxx and region xxx: operation error RDS: DescribeDBInstances, https response error StatusCode: 403, RequestID: xxx, api error AccessDenied: User: arn:aws:sts::xxxx:assumed-role/xxx is not authorized to perform: rds:DescribeDBInstances on resource: arn:aws:rds:xxx:* because no identity-based policy allows the rds:DescribeDBInstances action	Verify that the discovery role in your member accounts (OktaPAMResourcesReadOnly role) has permission to call RDS APIs.

Error message

Possible resolution

failed to discover aws rds resources, for analysis ID xxxxxx with connection ID xxxxx in Team xxxx, error: error paginating list of RDS DB instances for account xxxxx and region af-south-1: operation error RDS: DescribeDBInstances failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: xxxxx, api error AccessDenied: User: arn:aws:sts::xxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxx:role/OktaPAMResourcesReadOnlyRole

Ensure that the fixed role in each AWS member account is configured with a trust policy that includes the External ID of the Okta AWS account that was used to connect to your management AWS account. Also, the trust policy principal should refer to the ARN of the integration role in your AWS management account.

Verify that you have attached a policy to the integration role that contains the correct ARN of the OktaPAMResourcesReadOnly role in all your member accounts.

failed to build aws client with role: arn:aws:iam::XXXXX:role/XXXXX and externalId: XXXXX for the Team: XXXXXX

Verify that the integration role is configured with the correct External ID from the Okta Privileged Access connection setup screen.

failed to discover aws rds resources, for analysis ID xxxx with connection ID xxxx in Team xxx, error: error paginating list of RDS DB instances for account xxx and region xxx: operation error RDS: DescribeDBInstances, https response error StatusCode: 403, RequestID: xxx, api error AccessDenied: User: arn:aws:sts::xxxx:assumed-role/xxx is not authorized to perform: rds:DescribeDBInstances on resource: arn:aws:rds:xxx:* because no identity-based policy allows the rds:DescribeDBInstances action

Verify that the discovery role in your member accounts (OktaPAMResourcesReadOnly role) has permission to call RDS APIs.

Troubleshoot entitlement analysis

Related topics