AWS console not loading via ZIA

Hi - recently we’ve noticed that the AWS Console is not loading when accessed via Zscaler (GRE tunnel). However the web insights log shows that nothing is being blocked.

This is the same across Chrome, Edge and Firefox for us - and the browser console shows errors similar to:
Refused to load the script 'https://gateway.zscloud.net/auD?origurl=https%3A%2F%2Fcdn%2eassets%2eas2%2eamazonaws%2ecom%2fawsc%2dhead%2ejs%3fversion%3d3%2e0%2e26&wexps=1&_ordtok=RPZ3WVhMQSBS6S7sRSVbgKSHN6' because it violates the following Content Security Policy directive: "script-src https://cdn.assets.as2.amazonaws.com/AWS-UI-Widget-HelpPanel-Loader.js 'self' https://*.cdn.console.awsstatic.com https://*.signin.aws.amazon.com https://cdn.1.as2.amazonaws.com/asset/ https://cdn.2.as2.amazonaws.com/asset/ https://cdn.assets.as2.amazonaws.com https://console.aws.amazon.com/p/ https://console.aws.amazon.com/phd/ https://d1fqdzidq79abj.cloudfront.net https://d2eezf66cfmyv.cloudfront.net/js/ https://d36cz9buwru1tt.cloudfront.net https://eu-west-2.console.aws.amazon.com/api/ https://eu-west-2.prod.signer.console-api.aws.amazon.com https://media.amazonwebservices.com https://phd.aws.amazon.com https://resources.console.aws.amazon.com https://signin.aws.amazon.com https://eu-west-2.console.aws.amazon.com/p/ https://a.b.cdn.console.awsstatic.com 'nonce-bZjhmmycM2V6n0oghBzBvg=='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Has anyone seen anything similar or have an idea how to resolve this?

Thanks,
Tom

Hi Tom,

I have similar errors. Try to disable authentication on these sites, probably these sites don´t work with cookie auth.

Regards

Thanks Matias -
Were you able to get this working? Even adding the whole “Amazon Web Services” cloud application to bypass authentication doesn’t seem to help in my case.
I’ve got a support call open with Zscaler, but they aren’t really coming up with anything useful.
Kind regards,
Tom

Hello Tom, Matias,
Did you find out some way to make it work? I have the same issue but nothing seems to help

Kind regards,
Gloria

Hi Gloria -

Yes, I had to add .awsstatic.com to to the “authentication exemptions” list (Administration → Advanced Settings).

Thanks,
Tom

1 Like

Thank you very much, this worked nice!!