# Troubleshooting Resource Explorer
Troubleshooting

If you encounter issues when working with Resource Explorer, consult the topics in this section. Also see [Troubleshooting AWS Resource Explorer permissions](security_iam_troubleshoot.md) in the **Security** section of this guide.

**Topics**
+ [General issues](#troubleshooting_general) (*this page*)
+ [Troubleshooting Resource Explorer setup and configuration issues](troubleshooting_setup.md)
+ [Troubleshooting Resource Explorer search issues](troubleshooting_search.md)

## General issues


**Topics**
+ [

### I received a link to Resource Explorer but when I open it, the console shows only an error.
](#troubleshooting_general_url-no-region)
+ [

### Why does Unified Search in the console cause "access denied" errors in my CloudTrail logs?
](#troubleshooting_general_us-access-denied)

### I received a link to Resource Explorer but when I open it, the console shows only an error.
A link to Resource Explorer is missing the AWS Region

Some third-party tools produce link URLs to pages in Resource Explorer. In some cases, those URLs don't include the parameter that directs the console to a specific AWS Region. If you open such a link, the Resource Explorer console isn't told which Region to use, and defaults to using the last Region the user signed in to. If the user doesn't have permissions to access Resource Explorer in that Region, then the console attempts to use US East (N. Virginia) (`us-east-1`) Region, or US West (Oregon) (`us-west-2`) if the console can't reach `us-east-1`.

If the user doesn't have permission to access the index in any of those Regions, then the Resource Explorer console returns an error. 

You can prevent this issue by ensuring that all users have the following permissions:
+ `ListIndexes` – no specific resource; use `*`.
+ `GetIndex` for the ARN of the each index created in the account. To avoid having to redo permission policies if you delete and recreate an index, we recommend that you use `*`.

The minimum policy to achieve this might look like this example:

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "resource-explorer-2:GetIndex",
                "resource-explorer-2:ListIndexes"
            ],
            "Resource": "*"
        }
    ]
}
```

------

Alternatively, you might consider attaching the [AWS managed permission `AWSResourceExplorerReadOnlyAccess`](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSResourceExplorerReadOnlyAccess) to all users who need to use Resource Explorer. That grants these required permissions, plus the permissions needed see the available views in the Region and search using those views.

### Why does Unified Search in the console cause "access denied" errors in my CloudTrail logs?
Unified Search CloudTrail errors

[Unified Search in the AWS Management Console](using-unified-search.md) lets principals search from any page in the AWS Management Console. The results can include resources from the principal's account if Resource Explorer is turned on and configured to support Unified Search. Whenever you start typing in the Unified Search bar, Unified Search attempts to call `resource-explorer-2:ListIndexes` operation to check whether it can include resources from the user's account in the results. 

Unified Search uses the currently signed-in user's permissions to perform this check. If that user doesn't have permission to call `resource-explorer-2:ListIndexes` granted in an attached AWS Identity and Access Management (IAM) permission policy, then the check fails. That failure is added as an `Access denied` entry in your CloudTrail logs.

This CloudTrail log entry has the following characteristics:
+ **Event source:** `resource-explorer-2.amazonaws.com`
+ **Event name:** `ListIndexes`
+ **Error code:** `403` (Access denied)

The following AWS managed policies include permission to call `resource-explorer-2:ListIndexes`. If you assign any of these to the principal, or any other policy that includes this permission, then this error does not occur:
+ [AWSResourceExplorerReadOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSResourceExplorerReadOnlyAccess)
+ [AWSResourceExplorerFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSResourceExplorerFullAccess)
+ [ReadOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
+ [ViewOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/job-function/ViewOnlyAccess)

# Troubleshooting Resource Explorer setup and configuration issues
Setup issues

Use the information here to help you diagnose and fix issues that can occur when you initially set up or configure AWS Resource Explorer.

**Topics**
+ [

## Troubleshooting permission-based access issues
](#troubleshoot_setup_permission-based-access)
+ [

## I get an "access denied" message when I make a request to Resource Explorer
](#troubleshoot_setup_access-denied)
+ [

## I get an "access denied" message when I make a request with temporary security credentials
](#troubleshooting_setup_access-denied-temp-creds)

## Troubleshooting permission-based access issues


Resource Explorer provides different user experiences based on your IAM permissions. Use this section to troubleshoot issues related to permission-based access and search results.

### I'm getting partial search results instead of complete results


If you're receiving partial search results, this indicates you have, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy but lack `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy), or the service-linked role hasn't been created in your account yet.
+ **To get complete results:** Obtain `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) from your administrator, or sign in with a role that has this permission. Once you initiate a search with both permissions, Resource Explorer will automatically create the service-linked role and provide complete results.
+ **If the service-linked role already exists:** Verify you have, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. Users with search permission get complete results after searching in a Region once the service-linked role exists in the account.
**Note**  
Automatic setup may not happen in this case if an index was previously deleted or the aggregator index already exists 
+ **Regional differences:** Results may vary by Region based on index types. Regions with user-owned indexes provide complete results, while Regions with only Resource Explorer-owned indexes provide partial results.

### Service-linked role creation issues


If you receive an error when Resource Explorer attempts to create the service-linked role during your first search, this indicates you lack the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy).
+ **Resolution:** Get permission from your administrator OR sign in with a role that has the `iam:CreateServiceLinkedRole` permission.
**Note**  
**Note:** The service-linked role only needs to be created once per account. After it's created by any user with the appropriate permission, all users with, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy are able to create an index and view for full results in a Region on first search.

### I can't access Resource Explorer search functionality


If you receive access denied errors when trying to use Resource Explorer search, you lack at minimum the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy.
+ **Resolution:** Contact your administrator to obtain the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. These permissions are also a subset of the `ResourceExplorerFullAccess` managed policy
+ **Organizational control:** If your organization wants to prevent access to Resource Explorer search functionality, administrators can disallow the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy.

### Indexing progress and completion issues


When Resource Explorer automatically creates indexes and views, you may see indexing progress indicators in the console.
+ **Blue banner "Completing Resource Explorer setup":** This indicates indexing is in progress. You can search immediately and receive partial results while indexing completes in the background.
+ **Green completion banner:** This indicates that the user-index is setup. Refresh to view full results.
+ **Timeline expectations:** Initial indexing typically completes within a few hours, depending on the number of resources in your account. You can use Resource Explorer immediately while indexing continues.
+ **If indexing appears stuck:** Indexing runs automatically in the background. If you don't see progress after several hours, verify your permissions and try refreshing the console.

## I get an "access denied" message when I make a request to Resource Explorer


Access denied errors can occur when accessing Resource Explorer search functionality or when trying to configure enhanced features like custom views or cross-Region search.
+ **For basic search access:** Verify you have, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. This permission provides immediate access to search functionality.
+ **For complete search results:** Verify you have both the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy and the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy), or that the service-linked role already exists in your account.
+ **For enhanced features:** Verify that you have permissions to call the action and resource that you requested. An administrator can grant permissions by assigning an AWS Identity and Access Management (IAM) permission policy to your IAM principal, such as a role, group, or user.

  To provide access, add permissions to your users, groups, or roles:
  + Users and groups in AWS IAM Identity Center:

    Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
  + Users managed in IAM through an identity provider:

    Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
  + IAM users:
    + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
    + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

  The policy must allow the requested `Action` on the `Resource` that you want to access.

  If the policy statements that grant those permissions include any conditions, such as time-of-day or IP address restrictions, you also must meet those requirements when you send the request. For information about viewing or modifying policies for an IAM principal, see [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html) in the *IAM User Guide*.
+ If you're signing API requests manually (without using the [AWS SDKs](http://aws.amazon.com/tools/)), verify that you [signed the request](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) correctly.

## I get an "access denied" message when I make a request with temporary security credentials

+ Verify that the IAM principal that you're using to make the request has the correct permissions. Permissions for temporary security credentials are derived from a principal defined in IAM, so the permissions are limited to those granted to the principal. For more information about how permissions for temporary security credentials are determined, see [Controlling permissions for temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access.html) in the *IAM User Guide*.
+ Verify that your requests are being signed correctly and that the request is well formed. For details, see the [toolkit](http://aws.amazon.com/tools/) documentation for your chosen SDK or [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the *IAM User Guide*.
+ Verify that your temporary security credentials haven't expired. For more information, see [Requesting temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) in the *IAM User Guide*. 

# Troubleshooting Resource Explorer search issues
Search issues

Use the information here to help you diagnose and fix common errors that can occur when you search for resources by using Resource Explorer.

**Topics**
+ [

## Why are some resources missing from my Resource Explorer search results?
](#troubleshooting_search_missing-resources)
+ [

## Why are some searches limited to 1,000 results?
](#troubleshooting_limited_results)
+ [

## Why are my resources not appearing in Unified Search results in the console?
](#troubleshooting_search_unified)
+ [

## Why does Unified Search in the console and Resource Explorer sometimes give different results?
](#troubleshooting_search_unified_different)
+ [

## What permissions do I need to be able to search for resources?
](#troubleshooting_search_permissions)

## Why are some resources missing from my Resource Explorer search results?


The following list provides reasons why some resources might not appear in your search results as expected:

**Initial indexing isn't complete**  
After you first access Resource Explorer, the service automatically enables search capabilities [based on your IAM permissions](manage-immediate-resource-discovery-experience.md). It can then take up to 36 hours for indexing and replication to the aggregator index to complete. Try your search again later.

**The resource is new**  
It can take a few minutes for a new resource to be discovered by Resource Explorer and added to the local index. Try again in a few minutes.

**Information about a new resource in one Region hasn’t yet been propagated to the aggregator index**  
It can take some time for details about a new resource discovered in one Region to be indexed in its own Region and then replicated to the aggregator index for the account. The new resource can appear in cross-Region search results only after replication is complete. Try your search again later.

**The resource exists in a different Region, and the searched Region doesn't contain the aggregator index**  
You can search for resources across all Regions in the account only by using a view in the Region that contains the aggregator index. Searches in any other Region return resources from only the Region in which you perform the search.

**Filters on the view exclude that resource**  
Every view can include filters in the configuration that restrict which results can be included in search results made with that view. Ensure that the resource you're looking for matches the filters in the view that you're using to search. For more about filters, see [Filters](using-search-query-syntax.md#query-syntax-filters). 

**The resource type is not supported by Resource Explorer**  
Some resource types aren't supported by Resource Explorer. For more information, see [Resource types you can search for with Resource Explorer](supported-resource-types.md).

**User indexes aren't configured in the console Region**  
If a user index isn't configured in a Region, you will see partial results. For more information, see [Understanding the immediate resource discovery experience](manage-immediate-resource-discovery-experience.md).

**Your views don't include tags**  
Tags are required by the Resource Explorer widget. If your views don't include tags, the resources won't be included in your results. For more information, see [Adding tags to views](configure-views-tag.md).

**Your search uses the wrong search query syntax**  
Search in Resource Explorer is unique to this service. Without the correct syntax, you won't find the resources you expect. For more information, see [Search query syntax reference for Resource Explorer](using-search-query-syntax.md).

**You have recently tagged your resources**  
After you tag a resource, there may be a 30 second delay before the resource appears in your search results.

**The resource type doesn't support tag filters**  
If tag filters aren't supported by the resource type, they won't display in the Resource Explorer widget. Resource types that don't support tag filters are:  
+ `cloudfront:cache-policy`
+ `cloudfront:origin-access-identity`
+ `cloudfront:function`
+ `cloudfront:origin-request-policy`
+ `cloudfront:realtime-log-config`
+ `cloudfront:response-headers-policy`
+ `cloudwatch:dashboard`
+ `docdb:globalcluster`
+ `elasticache:globalreplicationgroup`
+ `iam:group`
+ `lambda:code-signing-config`
+ `lambda:event-source-mapping`
+ `ssm:windowtarget`
+ `ssm:windowtask`
+ `rds:auto-backup`
+ `rds:global-cluster`
+ `s3:accesspoint`

## Why are some searches limited to 1,000 results?


If your query includes free-form text, the Resource Explorer console will use the `Search` operation, but if your query does not include free-form text, Resource Explorer uses the `ListResources` operation. `Search` operations are limited to 1,000 results that are sorted by relevancy, while `ListResource` operations have no upper limit and are not sorted by relevancy. To see resources beyond 1,000 results when using free-form text (and the `Search` operation), you must use additional filters. 

## Why are my resources not appearing in Unified Search results in the console?


[Unified Search](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/using-search.html) results are available in the search bar at the top of every AWS Management Console page when you have, at minimum, the permissions in the `AWSResourceExplorerReadOnlyAccess` managed policy. If you don't have access to resource results, obtain permission from your administrator or sign in with a role that has this permission.

## Why does Unified Search in the console and Resource Explorer sometimes give different results?


Unified Search results are available in the search bar at the top of every AWS Management Console page. When you use Unified Search, the Unified Search process automatically inserts a wildcard character (`*`) to the end of the first term that you type in the query string. That wildcard character isn't visible in the Unified Search box, but it does affect the results.

**Important**  
Unified Search automatically inserts a wildcard character (`*`) operator at the end of the first keyword in the string. This means that unified search results include resources that match any string that starts with the specified keyword.  
The search performed by the **Query** text box on the [Resource search](https://console.aws.amazon.com/resource-explorer/home#/explorer) page in the Resource Explorer console does ***not*** automatically append a wildcard character. You can insert a `*` manually after any term in the search string.

## What permissions do I need to be able to search for resources?


To search, you must have permission to perform *both* of the following operations on a view that resides in the Region in which you call the operation: 
+ `resource-explorer-2:GetView`
+ `resource-explorer-2:Search`
+ `resource-explorer-2:ListResources`

This can be done by adding a statement similar to the following example to a policy assigned to your IAM principal.

```
        {
            "Effect": "Allow",
            "Action": [ 
                "resource-explorer-2:GetView",
                "resource-explorer-2:Search"
            ],
            "Resource": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/My-View-Name/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
        }
```

You can replace the Amazon Resource Number (ARN) of a specific view with an ARN that includes a wildcard (`*`) to grant permission to all matching views.

If you don't specify a view in your request, Resource Explorer automatically uses the [*default view*](configure-views-set-default.md) for the Region in which you made the request. If you don't have permissions to use the default view, talk to your administrator.

**Note**  
Even if you see a resource in the results of a Resource Explorer search query, you need permissions on the resource itself to be able to interact with that resource.