Cloud Connection Troubleshooting

When a Federated Authentication (Fed Auth) mapped to a cloud connection has expired, a RESCAN attempt fails with Failed to start a new scan. Failed connection credentials test. Check your credentials and try again. error.

Perform the following steps:

1. Reauthorize the authentication from the Connection tab or the Authentication tab.

2. After reauthorizing, perform the RESCAN.

For more information, refer to Getting Started With Cloud Connection.

If you edit a cloud connection while Fed Auth has expired, the identity provider (IdP) configuration is not auto-selected and provides an Unable to assume role with web identity. Ensure your credentials are valid or retry the operation. error.

Perform the following steps:

1. When adding or editing the connection on the Set Up Authentication step, manually select the appropriate authentication.

2. Before updating the changes, click and click Authorize to complete the reauthorization process.

NOTE

This only applies to the IdP created using the Authorization code flow.

Large dataset scans may occasionally fail to display all items, showing the error message: Failed to load items.

Click RETRY and allow the page to fully reload before proceeding.

If a Fortanix Data Security Manager (DSM) connection is mapped to a Key Management Service (KMS) that remains in a Pending state, attempting to update the associated cloud connection will fail with the error: Unable to update cloud connection. dsm account id must be set.

Ensure the associated KMS connection is in a Connected state before updating the cloud connection.

For more information on updating the cloud connection, refer to Getting Started With Cloud Connection.

A GCP connection test fails with the following error:

“Failed Google Cloud Platform connection test. Check your credentials and try again: Google Cloud SDK was instantiated, but listing organizations resulted in error: NonOkStatus { message: "HTTP GET on \"https://cloudresourcemanager.googleapis.com/v3/organizations:search\" produced an error response: {\n  \"error\": {\n    \"code\": 403,\n    \"message\": \"Cloud Resource Manager API has not been used in project 758106583346 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=758106583346 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\",\n    \"status\": \"PERMISSION_DENIED\",\n    \"details\": [\n      {\n        \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n        \"reason\": \"SERVICE_DISABLED\",\n        \"domain\": \"googleapis.com\",\n        \"metadata\": {\n          \"serviceTitle\": \"Cloud Resource Manager API\",\n          \"service\": \"cloudresourcemanager.googleapis.com\",\n          \"containerInfo\": \"xxxxxxxxxxxxxx\",\n          \"activationUrl\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=758106583346\",\n          \"consumer\": \"projects/xxxxxxxxxxxx\"\n        }\n      },\n      {\n        \"@type\": \"type.googleapis.com/google.rpc.LocalizedMessage\",\n        \"locale\": \"en-US\",\n        \"message\": \"Cloud Resource Manager API has not been used in project 758106583346 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=xxxxxxxxxxxx then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\"\n      },\n      {\n        \"@type\": \"type.googleapis.com/google.rpc.Help\",\n        \"links\": [\n          {\n            \"description\": \"Google developers console API activation\",\n            \"url\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=758106583346\"\n          }\n        ]\n      }\n    ]\n  }\n}\n", http_status: 403 }” .

This occurs when the required GCP APIs are not enabled in the target project.

Perform the following steps to enable the required APIs in the GCP project:

1. On the Google Cloud Console, navigate to APIs & Services → Enable APIs and Services.

2. Enable Cloud Resource Manager API and any other required APIs (Cloud KMS, Cloud Storage, and Cloud SQL Admin) based on the supported GCP services.

Unable to verify the ID Token signature error due to JWKS signing keys not being published by PingFederate.

Perform the following steps:

1. Log in to the PingFederate Admin Console.

2. Navigate to APPLICATIONS → OAuth → Access Token Management.

3. Select the configured Access Token Management (ATM) instance.

4. Click Show Advanced Fields.

5. Enable the PUBLISH KEYS TO PINGFEDERATE JWKS ENDPOINT option.

6. Save the configuration and restart PingFederate if required.

An ID token audience mismatch error occurs when the JWT aud claim does not match the Allowed Audience configured in the GCP Workload Identity Provider.

Ensure that the AUDIENCE CLAIM VALUE in the PingFederate ATM configuration matches the Allowed Audience configured in the GCP Workload Identity Provider.

Invalid client or client credentials (401) error due to an incorrect or malformed OAuth client secret.

Regenerate a new client secret in PingFederate and update the client ID and client secret values in Fortanix Key Insight.

Unable to connect to PingFederate ports (9999 or 9031) error due to the PingFederate service not running or required ports being blocked by the firewall or cloud security rules.

Verify that the PingFederate service is running and ensure that ports 9999 (Admin Console) and 9031 (Runtime) are open in the firewall or cloud security group.

SSL certificate error when accessing PingFederate endpoints due to a self-signed certificate still being configured for PingFederate.

Import a CA-signed SSL certificate (for example, Let's Encrypt) into the PingFederate keystore and set it as the active SSL certificate.