---
title: "Cloud Connection Troubleshooting"
slug: "fortanix-key-insight-cloud-connection-troubleshooting"
updated: 2026-04-06T08:56:58Z
published: 2026-04-06T08:58:03Z
canonical: "support.fortanix.com/fortanix-key-insight-cloud-connection-troubleshooting"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cloud Connection Troubleshooting

## 1.0 Introduction

This article provides troubleshooting steps for common issues encountered while configuring and running Fortanix Key Insight in cloud environments.

## 2.0 Troubleshooting

| **PROBLEM** | **RESOLUTION** |
| --- | --- |
| **When a Federated Authentication (Fed Auth) mapped to a cloud connection has expired, a RESCAN attempt fails with**`Failed to start a new scan. Failed connection credentials test. Check your credentials and try again.`**error.** | Perform the following steps: 1. Reauthorize the authentication from the **Connection** tab or the **Authentication** tab. 2. After reauthorizing, perform the **RESCAN**. *For more information, refer to*[*Getting Started with Cloud Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-cloud-connection)*.* |
| **If you edit a cloud connection while Fed Auth has expired, the identity provider (IdP) configuration is not auto-selected and provides an**`Unable to assume role with web identity. Ensure your credentials are valid or retry the operation.`**error.** | Perform the following steps: 1. When adding or editing the connection on the **Set Up Authentication** step, manually select the appropriate authentication. 2. Before updating the changes, click ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Picture1(1).png) and click **Authorize** to complete the reauthorization process. > [!NOTE] > NOTE > > This only applies to the IdP created using the **Authorization code flow**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/1(5).png) |
| **Large dataset scans may occasionally fail to display all items, showing the error message:**`Failed to load items`**.** | Click **RETRY** and allow the page to fully reload before proceeding. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_Trobleshooting Error.png) |
| **If a Fortanix Data Security Manager (DSM) connection is mapped to a Key Management Service (KMS) that remains in a Pending state, attempting to update the associated cloud connection will fail with the error:**`Unable to update cloud connection. dsm account id must be set.` | Ensure the associated KMS connection is in a **Connected** state before updating the cloud connection. *For more information on updating the cloud connection, refer to*[*Getting Started with Cloud Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-cloud-connection#62-edit-the-cloud-connection)*.* |
| **A GCP connection test fails with the following error:** `“Failed Google Cloud Platform connection test. Check your credentials and try again: Google Cloud SDK was instantiated, but listing organizations resulted in error: NonOkStatus { message: "HTTP GET on \"https://cloudresourcemanager.googleapis.com/v3/organizations:search\" produced an error response: {\n  \"error\": {\n    \"code\": 403,\n    \"message\": \"Cloud Resource Manager API has not been used in project 758106583346 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=758106583346 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\",\n    \"status\": \"PERMISSION_DENIED\",\n    \"details\": [\n      {\n        \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n        \"reason\": \"SERVICE_DISABLED\",\n        \"domain\": \"googleapis.com\",\n        \"metadata\": {\n          \"serviceTitle\": \"Cloud Resource Manager API\",\n          \"service\": \"cloudresourcemanager.googleapis.com\",\n          \"containerInfo\": \"xxxxxxxxxxxxxx\",\n          \"activationUrl\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=758106583346\",\n          \"consumer\": \"projects/xxxxxxxxxxxx\"\n        }\n      },\n      {\n        \"@type\": \"type.googleapis.com/google.rpc.LocalizedMessage\",\n        \"locale\": \"en-US\",\n        \"message\": \"Cloud Resource Manager API has not been used in project 758106583346 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=xxxxxxxxxxxx then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\"\n      },\n      {\n        \"@type\": \"type.googleapis.com/google.rpc.Help\",\n        \"links\": [\n          {\n            \"description\": \"Google developers console API activation\",\n            \"url\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=758106583346\"\n          }\n        ]\n      }\n    ]\n  }\n}\n", http_status: 403 }” .` **This occurs when the required GCP APIs are not enabled in the target project.** | Perform the following steps to enable the required APIs in the GCP project: 1. On the Google Cloud Console, navigate to **APIs & Services → Enable APIs and Services**. 2. Enable **Cloud Resource Manager API** and any other required APIs (Cloud KMS, Cloud Storage, and Cloud SQL Admin) based on the supported GCP services. |
| `Unable to verify the ID Token signature`**error due to JWKS signing keys not being published by PingFederate.** | Perform the following steps: 1. Log in to the PingFederate Admin Console. 2. Navigate to **APPLICATIONS → OAuth → Access Token Management**. 3. Select the configured Access Token Management (ATM) instance. 4. Click **Show Advanced Fields**. 5. Enable the**PUBLISH KEYS TO PINGFEDERATE JWKS ENDPOINT** option. 6. Save the configuration and restart PingFederate if required. |
| **An ID token audience mismatch error occurs when the JWT aud claim does not match the Allowed Audience configured in the GCP Workload Identity Provider.** | Ensure that the **AUDIENCE CLAIM VALUE**in the PingFederate ATM configuration matches the **Allowed Audience** configured in the GCP Workload Identity Provider. |
| `Invalid client or client credentials (401)`**error due to an incorrect or malformed OAuth client secret.** | Regenerate a new client secret in PingFederate and update the client ID and client secret values in Fortanix Key Insight. |
| `Unable to connect to PingFederate ports (9999 or 9031)` **error due to the PingFederate service not running or required ports being blocked by the firewall or cloud security rules.** | Verify that the PingFederate service is running and ensure that ports `9999` (Admin Console) and `9031` (Runtime) are open in the firewall or cloud security group. |
| **SSL certificate error when accessing PingFederate endpoints due to a self-signed certificate still being configured for PingFederate.** | Import a CA-signed SSL certificate (for example, Let's Encrypt) into the PingFederate keystore and set it as the active SSL certificate. |

Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.