Aws Cloud account status shows the error "Authentication failed. Invalid External ID or Prisma Cloud account not found in Trusted entities"
11965
Created On 04/21/22 00:54 AM - Last Modified 04/17/24 15:35 PM
Symptom
Aws Cloud account status shows the error "Authentication failed. Invalid External ID or Prisma Cloud account not found in Trusted entities"
Environment
- Prisma Cloud
- Amazon web services (Aws)
- Onboarding
- Cloud Accounts
Cause
This error can appear on AWS ORG Master or Members Cloud accounts or a single AWS Cloud Account.
The following reason may cause the error:
- Invalid External ID
- Prisma Cloud account not found in Trusted entities
- Invalid Role Name
- Invalid Role ARN
Resolution
Resolution steps are for different Cloud setup/environments. Follow steps based on your Cloud Account error. i.e if a cloud status error appears on AWS ORG Master account then follow "Resolution steps if cloud account error shows only on AWS ORG Master Account"
- Resolution steps if cloud account error shows only on AWS ORG Master Account
- Resolution steps if cloud account error shows only on AWS ORG Member's Cloud Accounts
- Resolution steps if cloud account error shows only on Single AWS Cloud Account
Resolution steps if cloud account error shows only on AWS ORG Master Account:
If this error appears on AWS ORG Master Account, follow the below steps:
- Login to AWS Root/Management account
- Go to IAM > Roles > Select your role for PrismaCloud
- Make sure AWS Master Role ARN is matching as entered in Prisma Cloud
- IAM > Roles > Select your role for PrismaCloud > Trust relationships
- Make sure AWS Master External ID is matching as entered in Prisma Cloud
- Make sure Prisma Cloud account found in Trusted entities
Following are the example of Prisma Cloud Account in Trusted entities
- AWS Public Cloud: "arn:aws:iam::188619942792:root"
- AWS GovCloud: "arn:aws-us-gov:iam::342570144056:root"
- China AWS: "arn:aws-cn:iam::211784309483:root"
- Follow the Step 1 to 4 in the Docs
After following the above Step 1
- Go to Prisma Cloud Console > Settings > Cloud Accounts
- Click on Edit button under Action on your Cloud Account
- Click on Pencil button to Edit Cloud Account
- Complete Information from step Overview to Status on Edit Cloud Account page > Done
- If you still see same error, It may take 24 hours to update the status.
Resolution steps if cloud account error shows only on AWS ORG Member's Cloud Accounts:
If this error appears on AWS ORG Member's Account, follow the below steps:
- Login to AWS member account
- Go to IAM > Roles > Select your role for PrismaCloud
- Make sure Master Role Name is matching and ending with -member as entered in Prisma Cloud
Member Role Name: PrismaCloudORGNewRole-member
4. IAM > Roles > Select your role for PrismaCloud > Trust relationships
5. Make sure External Id is matching as entered in Prisma Cloud
6. Make sure Prisma Cloud account found in Trusted entities
Following are the example of Prisma Cloud Account in Trusted entities
- AWS Public Cloud: "arn:aws:iam::188619942792:root"
- AWS GovCloud: "arn:aws-us-gov:iam::342570144056:root"
- China AWS: "arn:aws-cn:iam::211784309483:root"
- Follow the Step 2 in the Docs
After following the above Step 2
- Go to Prisma Cloud Console > Settings > Cloud Accounts
- Click on Edit button under Action on your Cloud Account
- Click on Pencil button to Edit Cloud Account
- Complete Information from step Overview to Status on Edit Cloud Account page > Done
- If you still see same error, It may take 24 hours to update the status.
Resolution steps if cloud account error shows only on Single AWS Cloud Account:
If this error appears on AWS Account, follow the below steps:
- Login to AWS Root account
- Go to IAM > Roles > Select your role for PrismaCloud
- Make sure Role ARN is matching as entered in Prisma Cloud
- IAM > Roles > Select your role for PrismaCloud > Trust relationships
- Make sure External ID is matching as entered in Prisma Cloud
- Make sure Prisma Cloud account found in Trusted entities
Following are the example of Prisma Cloud Account in Trusted entities
- AWS Public Cloud: "arn:aws:iam::188619942792:root"
- AWS GovCloud: "arn:aws-us-gov:iam::342570144056:root"
- China AWS: "arn:aws-cn:iam::211784309483:root"
- Follow the Step-1 to 4 in the Docs
After following the above Step 1 to 4
- Go to Prisma Cloud Console > Settings > Cloud Accounts
- Click on Edit button under Action on your Cloud Account
- Click on Pencil button to Edit Cloud Account
- Complete Information from step Overview to Status on Edit Cloud Account page > Done
- If you still see same error, It may take 24 hours to update the status.