Aws Cloud account status shows the error "Authentication failed. Invalid External ID or Prisma Cloud account not found in Trusted entities"

Aws Cloud account status shows the error "Authentication failed. Invalid External ID or Prisma Cloud account not found in Trusted entities"

11965
Created On 04/21/22 00:54 AM - Last Modified 04/17/24 15:35 PM


Symptom


Aws Cloud account status shows the error "Authentication failed. Invalid External ID or Prisma Cloud account not found in Trusted entities"

Screen Shot 2022-04-20 at 8.48.58 PM.png
 

Environment


  • Prisma Cloud
  • Amazon web services (Aws)
  • Onboarding
  • Cloud Accounts

Cause


This error can appear on AWS ORG Master or Members Cloud accounts or a single AWS Cloud Account.
The following reason may cause the error:
  1. Invalid External ID
  2. Prisma Cloud account not found in Trusted entities
  3. Invalid Role Name
  4. Invalid Role ARN

Resolution


Resolution steps are for different Cloud setup/environments. Follow steps based on your Cloud Account error. i.e if a cloud status error appears on AWS ORG Master account then follow "Resolution steps if cloud account error shows only on AWS ORG Master Account"

  • Resolution steps if cloud account error shows only on AWS ORG Master Account
  • Resolution steps if cloud account error shows only on AWS ORG Member's Cloud Accounts
  • Resolution steps if cloud account error shows only on Single AWS Cloud Account


Resolution steps if cloud account error shows only on AWS ORG Master Account:

If this error appears on AWS ORG Master Account, follow the below steps:

  1. Login to AWS Root/Management account
  2. Go to IAM > Roles > Select your role for PrismaCloud
  3. Make sure AWS Master Role ARN is matching as entered in Prisma Cloud
  4. IAM > Roles > Select your role for PrismaCloud > Trust relationships
  5. Make sure AWS Master External ID is matching as entered in Prisma Cloud
  6. Make sure Prisma Cloud account found in Trusted entities
Following are the example of Prisma Cloud Account in Trusted entities
  • AWS Public Cloud: "arn:aws:iam::188619942792:root"
  • AWS GovCloud: "arn:aws-us-gov:iam::342570144056:root"
  • China AWS: "arn:aws-cn:iam::211784309483:root"
If you find any incorrect information, please rerun CloudFormation > Stacks in AWS Root/Management account
  • Follow the Step 1 to 4 in the Docs

After following the above Step 1
  1. Go to Prisma Cloud Console > Settings > Cloud Accounts
  2. Click on Edit button under Action on your Cloud Account
Screen_Shot_2022-04-21_at_9_56_00_AM.jpg
  1. Click on Pencil button to Edit Cloud Account  Screen Shot 2022-04-21 at 10.01.32 AM.png
  2. Complete Information from step Overview to Status on Edit Cloud Account page > Done
  3. If you still see same error, It may take 24 hours to update the status.


Resolution steps if cloud account error shows only on AWS ORG Member's Cloud Accounts:

If this error appears on AWS ORG Member's Account, follow the below steps:
  1. Login to AWS member account
  2. Go to IAM > Roles > Select your role for PrismaCloud
  3. Make sure Master Role Name is matching and ending with -member as entered in Prisma Cloud
Example: Master Role Name: PrismaCloudORGNewRole
                  Member Role Name: PrismaCloudORGNewRole-member

  4. IAM > Roles > Select your role for PrismaCloud > Trust relationships
  5. Make sure External Id is matching as entered in Prisma Cloud
  6. Make sure Prisma Cloud account found in Trusted entities
Following are the example of Prisma Cloud Account in Trusted entities
  • AWS Public Cloud: "arn:aws:iam::188619942792:root"
  • AWS GovCloud: "arn:aws-us-gov:iam::342570144056:root"
  • China AWS: "arn:aws-cn:iam::211784309483:root"
If you find any incorrect information, please rerun CloudFormation > StackSets in AWS Root/Management account
  • Follow the Step 2 in the Docs

After following the above Step 2
  1. Go to Prisma Cloud Console > Settings > Cloud Accounts
  2. Click on Edit button under Action on your Cloud Account
Screen_Shot_2022-04-21_at_9_56_00_AM.jpg
  1. Click on Pencil button to Edit Cloud Account  Screen Shot 2022-04-21 at 10.01.32 AM.png
  2. Complete Information from step Overview to Status on Edit Cloud Account page > Done
  3. If you still see same error, It may take 24 hours to update the status.
     
 

Resolution steps if cloud account error shows only on Single AWS Cloud Account:

If this error appears on AWS Account, follow the below steps:

  1. Login to AWS Root account
  2. Go to IAM > Roles > Select your role for PrismaCloud
  3. Make sure Role ARN is matching as entered in Prisma Cloud
  4. IAM > Roles > Select your role for PrismaCloud > Trust relationships
  5. Make sure External ID is matching as entered in Prisma Cloud
  6. Make sure Prisma Cloud account found in Trusted entities
Following are the example of Prisma Cloud Account in Trusted entities
  • AWS Public Cloud: "arn:aws:iam::188619942792:root"
  • AWS GovCloud: "arn:aws-us-gov:iam::342570144056:root"
  • China AWS: "arn:aws-cn:iam::211784309483:root"
If you find any incorrect information, please rerun CloudFormation > Stacks in AWS Root account
  • Follow the Step-1 to 4 in the Docs

After following the above Step 1 to 4
  1. Go to Prisma Cloud Console > Settings > Cloud Accounts
  2. Click on Edit button under Action on your Cloud Account
Screen_Shot_2022-04-21_at_9_56_00_AM.jpg
  1. Click on Pencil button to Edit Cloud Account  Screen Shot 2022-04-21 at 10.01.32 AM.png
  2. Complete Information from step Overview to Status on Edit Cloud Account page > Done
  3. If you still see same error, It may take 24 hours to update the status.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OD3CAM&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language