Last week, I got an urgent call: “The AWS access portal is broken for 30 people. They just see a blank white screen.” No error messages, no console output—just an empty page and very confused engineers. After 45 minutes of investigation, I discovered the issue was browser cookies and a corporate proxy. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
Users navigate to their AWS IAM Identity Center access portal (the URL looks like https://d-xxxxxxxxxx.awsapps.com/start/) and encounter one of these:
- Completely blank white screen
- Infinite loading spinner that never resolves
- “You don’t have any accounts or applications” despite having valid assignments
- The page loads but all account tiles are missing
- Browser console shows CORS errors or mixed content warnings
Why Does This Happen?
- Browser blocking third-party cookies: IAM Identity Center requires third-party cookies to establish secure sessions. If your browser is blocking them (Safari default, or strict corporate policies), the portal can’t load your accounts.
- Corporate proxy or firewall blocking
awsapps.com: Firewalls may intercept requests to*.awsapps.comor block HTTPS traffic to AWS endpoints, resulting in silent failures or blank pages. - DNS resolution failure: The portal URL doesn’t resolve, or corporate DNS filters block
awsapps.com. - User recently created with permissions pending: The user was just added to the organization or assignments just created. Assignment propagation takes 2–5 minutes and syncing to the access portal can take longer.
- Browser extensions interfering: Adblockers, privacy extensions, or corporate monitoring software may block or modify requests to the portal.
- Permission set not provisioned to the account: An assignment exists, but the permission set hasn’t been provisioned to the account yet—a backend provisioning step that doesn’t always complete immediately.
The Fix
Step 1: Test in Incognito Mode with Extensions Disabled
First, isolate browser interference:
- Open an incognito/private window in your browser
- Disable all extensions (usually done in settings or incognito mode by default)
- Navigate to the portal URL:
https://d-xxxxxxxxxx.awsapps.com/start/
If the portal loads in incognito, the issue is a browser extension or cookie policy. Disable extensions one-by-one to find the culprit. Common offenders: password managers, VPNs, adblockers, and security extensions.
Step 2: Check Connectivity and DNS
Test that the portal domain resolves and is reachable:
# Test DNS resolution
nslookup d-xxxxxxxxxx.awsapps.com
# Test HTTPS connectivity
curl -I https://d-xxxxxxxxxx.awsapps.com/start/
# Expected: HTTP 200 or 302 redirect
# If curl fails, test with verbose output
curl -v https://d-xxxxxxxxxx.awsapps.com/start/ 2>&1 | grep -E "Connected|SSL|HTTP"
If DNS fails, contact your network team. If HTTPS fails, your firewall may be blocking AWS endpoints.
Step 3: Check Assignment Propagation
Verify the user has been assigned permission sets and that they’ve been provisioned to the target account:
# List permission sets assigned to a user
aws identitystore list-users \
--identity-store-id d-0123456789abcdef01 \
--filters AttributePath=UserName,AttributeValue=john.doe
# Get the user ID from the output, then:
aws sso-admin list-accounts-for-provisioned-permission-set \
--instance-arn arn:aws:sso:::instance/ssoins-0123456789abcdef0 \
--permission-set-arn arn:aws:sso::123456789012:permissionset/ssoins-0123456789abcdef0/ps-0123456789abcdef0
# Check if permission set is provisioned to the account
aws sso-admin list-permission-sets-provisioned-to-account \
--instance-arn arn:aws:sso:::instance/ssoins-0123456789abcdef0 \
--account-id 123456789012
If the permission set is missing, provision it manually:
aws sso-admin provision-permission-set \
--instance-arn arn:aws:sso:::instance/ssoins-0123456789abcdef0 \
--permission-set-arn arn:aws:sso::123456789012:permissionset/ssoins-0123456789abcdef0/ps-0123456789abcdef0 \
--target-id 123456789012 \
--target-type AWS_ACCOUNT
Step 4: Clear Portal Session Cookies
Ask the user to clear session cookies specifically for awsapps.com:
- Open browser Developer Tools (F12)
- Go to Application or Storage tab
- Find Cookies and select
https://awsapps.com - Delete all cookies
- Refresh the portal page
Step 5: Verify IAM Identity Center is Healthy
Check that your IAM Identity Center instance is functioning:
aws sso-admin describe-instance \
--instance-arn arn:aws:sso:::instance/ssoins-0123456789abcdef0
This should return instance status and configuration. If it fails, IAM Identity Center may be experiencing issues.
How to Run This
- Have the user test in an incognito browser window with extensions disabled
- Run the connectivity test with
curlto verify network access - Check assignment propagation using the AWS CLI commands above
- If assignments are missing, provision them with the
provision-permission-setcommand - Ask the user to clear
awsapps.comcookies and retry - Monitor for any account creation or assignment changes that might have triggered the issue
Is This Safe?
Yes, completely safe. These are diagnostic commands and standard troubleshooting steps. Clearing cookies and testing in incognito have no side effects.
Key Takeaway
A blank access portal usually points to browser cookie issues, network blocking, or permission set provisioning delays. Always test in incognito first, verify connectivity, and check that assignments have been provisioned to the target accounts.