So I’m at a loss here. I’m honestly finding the documentation below average even for aws.
Followed aws blogs, various tutorials but can’t get the (awful) aws VPC client to authenticate using AWS identity centre. I’ve managed to get most error codes from 403, 401, ‘Bad Data’ etc but cloud trail isn’t sharing the problems.
Anyone have a good resource/walkthrough to read that specifically covers when you have Identity Centre in one account, the VPC and VPN configured in a different account.
If I can’t fix this tonight I’ll fallback to a bastion sever as I need to get a private RDS server up and I’m behind schedule after losing today debugging AWS Client VPN.
Cheers,m
hey u/original-autobat did you ever figure this out? I’m running into this same issue, where I get a “403 no access” error when trying to use federated auth to ClientVPN in my network account (where my SAML IDP is setup in my root/management account).
Seems dumb.
I notice that the creation of a client VPN endpoint auto-creates a VPN-specific IAM policy, which doesn’t exist in my root account (and therefore can’t be added to the permission set of my federated users).
The client log files in C:\Users\username\AppData\Roaming\AWSVPNClient\logs should help out, but I would check the following:
1 - make sure the VPN application in Identity Center has the right Application metadata (ACS URL and SAML audience) and Attribute Mappings
2 - make sure the user/group you are using is mapped to the VPN application
3 - if you have enabled the self-service portal, you need a second application in Identity Center and a second IdP in the other VPN/VPC account.
That said, maybe consider using SSM port forwarding
We did not in the end. We used SSM and made the process really easy for those non-technical users. Basically scripted up the sso login and ssm tunnel creation and the user could then click on a bookmark in the browser.
One day I’ll look at the vpn client and try and figure out what I was doing wrong.
Thanks chbsftd - I’ll go through the aws step by step guide again and check these points - it must be something simple I’ve missed.
Would you configure the vpn endpoint in your root account alongside SSO? I did it in my networking account that holds my vpc configuration, cloudfront, route 53 etc.
I’m assuming it doesn’t matter but I just want to check I’m not being dumb here
it matters - the VPN endpoint will need to be in the same account as the VPC/subnets you want to access
Thanks - it’s in the vpc and subnet account - let’s see if I can get this thing working.
It’s so our non-technical users can access a web app that I’m not comfortable just exposing to the world as there is no MFA or easy integration to sso.
Let’s see how this goes.
Many thanks