Skip to main content

Debugging AWS Console read-only access issues

This page exists to collect and provide guidance on how to debug issues with AWS Console read-only access.

GitHub teams Principal Tag character limit exceeded

You may see users encountering the following error when attempting to SSO into the AWS Console:

Unable to validate tags (Service: AWSSecurityToken; Status Code: 400; Error Code: ValidationError; Request ID: abcd-1234; Proxy: null). Please try again.

The cause of this issue has frequently been identified as a result of a user belonging to enough GitHub teams (or those with especially long names) that result in the total length of the Principal Tag exceeding the 256 character limit, as documented here

In order to confirm whether this is the cause, request the user to grab a SAML response from their browser session by following the steps provided in this link

Ask the user to provide you with their base64 decoded SAML response, and check the character count for the contents of the PrincipalTag:GithubTeam tag.

<saml:Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">:github-teams:</saml:AttributeValue>

You can easily get a character count by running the following command:

$ printf ":github-team-1:github-team-2:" | wc -c

If the character count exceeds 256, you will need to ask the user to review their GitHub team membership, and remove themselves from any teams that are no longer required.

At this time, there is no other workaround for this issue.

This page was last reviewed on 7 February 2024. It needs to be reviewed again on 7 August 2024 by the page owner #cloud-platform .
This page was set to be reviewed before 7 August 2024 by the page owner #cloud-platform. This might mean the content is out of date.