Prisma Cloud: How to resolve authentication error caused by using custom path in AWS IAM Role ARN for member accounts

Prisma Cloud: How to resolve authentication error caused by using custom path in AWS IAM Role ARN for member accounts

4126
Created On 08/19/24 22:36 PM - Last Modified 01/23/25 16:05 PM


Objective


  • To resolve authentication error "Authentication failed. Invalid External ID or Prisma Cloud account not found in Trusted entities" caused by using AWS IAM Role ARN using a custom path for member accounts.
  • To onboard AWS member accounts with IAM Role ARN using custom paths.

Environment


  • Prisma Cloud Enterprise Edition
    • Cloud Security
      • Settings
        • Providers

Procedure


  1. When onboarding an AWS Organization to Prisma cloud, there are use cases like using a separate path for the Prisma Cloud IAM role ARN. For example:
    1. The IAM Role ARN path for an account like "123456789123" by default would be something like "arn:aws:iam::123456789123:role/PrismaCloudRole-123456789123".
    2. For security measures or due to organizational policies, a Prisma Cloud Administrator or AWS Admin user will have the use case of having a custom path appended to the IAM Role ARN which means the Role ARN would look something like "arn:aws:iam::123456789123:role/security/PrismaCloudRole-123456789123" where "security/"  is the custom path.
 
  1. Using such custom path for Prisma Cloud IAM Role ARN in member accounts, one will see an authentication error "Authentication failed. Invalid External ID or Prisma Cloud account not found in Trusted entities" for the member accounts.
    1. This is because, earlier when onboarding an AWS Organization in Prisma Cloud, there was only the option to enter the IAM Role ARN for the master/root account. The member account role names were required to be similar to the root account's IAM role with a -member appended to the end. So if the root account's IAM role name is "PrismaCloudRole-123456789123", the member account's role name would be "PrismaCloudRole-123456789123-member".
    2. Thus having a custom path for IAM roles for the member account was not possible because Prisma Cloud will check for the IAM role in the default path "arn:aws:iam::123456789123:role/PrismaCloudRole-123456789123-member" instead of "arn:aws:iam::123456789123:role/security/PrismaCloudRole-123456789123-member".
 
  1. While point 2.1 is currently the default behavior, with PCS 24.3.2 release, there was an Advanced Settings Option introduced in AWS Cloud Account Onboarding. One of the features of this Advanced Settings option is Users can enable "Use a different role name for Member Accounts". Please refer screenshot below: Screenshot 2024-08-19 at 5.26.03 PM.png  
 
  1. Enabling "Use a different role name for Member Accounts", users can add a separate role name for member account. This option can also be utilized to add custom paths for member account roles. 
 
  1. Considering the example in point 1.2, if the use case is that the member account role ARN should have the custom path security/, in the Member IAM Role name box add "Security/PrismaCloudMemberRoleName". 
 
  1. Once the settings are updated, it might take up to 24 hours for the member accounts status to reflect correctly in the Prisma Cloud UI. Please refer to this KCS article to read more about the same.
 
  1. To confirm, if Prisma Cloud is successfully able to ingest(before the status check is updated) one can also check AWS CloudTrail events for the same member account  OR Go to Prisma Cloud IAM Role > Summary and check if there's any update in Last activity sectionScreenshot 2024-08-19 at 6.44.45 PM.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Tp6fCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language