This document gives troubleshooting guidance for issues you might encounter during registration and connection.
Invalid configuration
If Google Cloud console cannot read the OIDC configuration from your cluster, the LOGIN button is disabled.
Login URL not found
The following issue occurs when the Google Cloud console is not able to reach the identity provider.
An attempt to log in gets redirected to a page with "URL not found" error.
To resolve this issue:
If the identity provider is not reachable over the public internet, then you need to enable the OIDC HTTP proxy to log in via Google Cloud console. In the
authentication.oidc
section of your cluster configuration file, setdeployCloudConsoleProxy
totrue
. If you have already created a cluster and want to turn on the proxy, you can edit the ClientConfig custom resource directly and setuseHTTPProxy
totrue
:kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public
If the HTTP proxy is enabled and you are still seeing this error, there might have been an issue with the proxy starting up. To get the logs of the proxy:
kubectl --kubeconfig USER_CLUSTER_KUBECONFIG logs deployment/clientconfig-operator -n kube-system
Note that even if your identity provider has a well-known CA, for the HTTP proxy to start, you must provide a value for
authentication.oidc.caPath
in your cluster configuration file.If the authorization server prompts for consent, and you have not included the
extraparam
prompt=consent
, then you might see this error. Edit the ClientConfig object, and addprompt=consent
toextraparams
:kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public
Then try logging in again.
If you have not done so already, try authenticating using the Authentication Plugin for Anthos. If you are seeing an authorization error logging in with the plugin as well, then follow the troubleshooting steps to resolve the issue with the plugin. Then try logging in via the Google Cloud console again.
In some cases, if settings are changed on storage service, you might need to log out explicitly. In the Google Cloud console, go to the cluster details page, and click Log out. Then try logging in again.