ERROR: LDAP login failed: could not obtain an STS token: Post "https://127.0.0.1:15001/sts/v1beta/token": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized
ERROR: Configuring Anthos authentication failed
解決策
問題は、次のいずれかの方法で解決できます。
GKE Identity Service が LDAP サーバーに接続できない場合は、次の操作を行います。
ネットワーク トラフィックがクラスタから LDAP サーバー(ID プロバイダ)に到達できるかを確認するには、telnet、nc または同様のコマンドを使用して LDAP サーバーに接続します。LDAP サーバーに接続するには、GKE Identity Service が実行されているノードまたは Pod でコマンドを実行する必要があります。
コマンドが成功すると、GKE Identity Service Pod が LDAP サーバーに接続します。
ERROR: LDAP login failed: could not obtain an STS token: Post "https://127.0.0.1:15001/sts/v1beta/token": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized
ERROR: Configuring Anthos authentication failed
解決策
クラスタ管理者は、GKE Identity Service のログを確認し、次の方法で認証の問題を解決します。
Attempting to bind as the LDAP service account: GKE Identity Service は、ClientConfig で指定されたサービス アカウントの認証情報を使用して LDAP サーバーに接続しようとしています。このログ メッセージがない場合、接続の問題があることを示します。
Successfully completed BIND as LDAP service account: GKE Identity Service は LDAP サーバーに正常に接続し、そのサービス アカウントをユーザー認証に使用できます。このログ メッセージがない場合、構成上の問題があることを示します。
Successfully found an entry for the user in the database: LDAP サーバーにユーザー エントリが存在します。これは、baseDN、filter、loginAttribute の各フィールドが、ユーザーを取得するために正しく構成されていることを意味します。このメッセージは、ロギングの詳細度がデフォルト レベルを超えている場合にのみ表示されます。ログの有効化の詳細については、デバッグログを有効にするをご覧ください。
Attempting to BIND as the user to verify their credentials: GKE Identity Service がユーザーの認証情報を検証しようとしています。
この問題は、GKE Identity Service とインストールされている Google Cloud CLI のバージョンの互換性が一致しない場合に発生します。
エラー メッセージ
unable to parse STS Token Response
could not obtain an STS token: JSON parse error: The request was malformed.
could not obtain an STS token: Grant type must confirm that the request is intended for a token exchange.
could not obtain an STS token: Requested token type must correspond to an access token.
could not obtain an STS token: Subject token type must be a valid token type supported for token exchange.
解決策
gcloud ユーティリティと GKE Identity Service を最新バージョンにアップグレードする必要があります。
401 認証失敗ステータス コード
この問題は、Kubernetes API サーバーがサービスを認証できず、401 エラーコードを返す場合に発生します。
エラー メッセージ
ERROR: LDAP login failed: STSToken() failed: could not obtain an STS token: Post "https://127.0.0.1:15001/sts/v1beta/token": DialContext() failed: podEndpoint() failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized
ERROR: Configuring Anthos authentication failed
解決策
この問題は、次のいずれかの方法で解決できます。
次のコマンドを使用して、GKE Identity Service Pod が running 状態にあるかどうかを確認します。
kubectl get pods -l k8s-app=ais -n anthos-identity-service --kubeconfig USER_CLUSTER_KUBECONFIG
次のコマンドを使用して、ClientConfig の LDAP 構成を確認します。
kubectl get clientconfig -n kube-public -o jsonpath='{.items[].spec.authentication[].ldap}' --kubeconfig USER_CLUSTER_KUBECONFIG
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-01 UTC。"],[],[],null,["This document provides troubleshooting guidance for LDAP server issues in\nGKE Identity Service.\n\nConnectivity issue\n\nWhen you configure GKE Identity Service, you can run into connectivity\nissues while trying to connect to an LDAP server. The connectivity issue can also\noccur when the certificate used to identify the LDAP server doesn't match the\ncertificate mentioned in the ClientConfig.\n\nError message\n\nThe following messages are applicable to errors that occur when the\n`gcloud anthos auth login` command is executed.\n\n- `ERROR: LDAP login failed: could not obtain an STS token: Post \"https://127.0.0.1:15001/sts/v1beta/token\": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized`\n- `ERROR: Configuring Anthos authentication failed`\n\nSolution\n\nYou can resolve the issues in one of the following ways:\n\n- If GKE Identity Service can't connect to the LDAP server, do the following:\n - To verify if any network traffic can reach the LDAP server (identity provider) from the cluster, use `telnet`, `nc`, or a similar command to connect to the LDAP server. To connect to the LDAP server, you need to execute the command in the node or pod where GKE Identity Service is running.\n - If the command is successful, then the GKE Identity Service pod should connect to the LDAP server.\n - If the command fails, it indicates that there's an issue with network connectivity. You need to check your network settings or reach out to your network administrator to resolve the connection issue.\n- Verify that the public certificate in the configuration is [formatted correctly](/kubernetes-engine/enterprise/identity/setup/format-certificates) and matches your LDAP server for the following cases:\n - You use LDAP with TLS.\n - You authenticate to LDAP with a service account. You use a certificate to identify the service account with the LDAP server.\n\nAuthentication issue\n\nAn authentication issue occurs in one of the following cases:\n\n- The LDAP provider settings are incorrectly configured in the ClientConfig for GKE Identity Service.\n- The user credentials you provided do not exist on the LDAP server.\n- The LDAP server is down.\n\n| **Note:** Although issues related to connectivity and authentication have similar causes, you can further qualify these issues from the logs.\n\nError message\n\nThe following messages are applicable to errors that occur when the `gcloud anthos auth login` command is executed.\n\n- `ERROR: LDAP login failed: could not obtain an STS token: Post \"https://127.0.0.1:15001/sts/v1beta/token\": failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized`\n- `ERROR: Configuring Anthos authentication failed`\n\nSolution\n\nAs a cluster administrator, review the GKE Identity Service logs and resolve the authentication issues in the following ways:\n\n- `Can't contact LDAP server`: For more information on how to resolve this issue, see [connectivity issues](#connectivityissues).\n- `Attempting to bind as the LDAP service account`: GKE Identity Service is attempting to connect to the LDAP server using the service account credentials provided in the ClientConfig. The absence of this log message indicates there's a [connectivity issue](#connectivityissues).\n- `Successfully completed BIND as LDAP service account`: GKE Identity Service is able to successfully connect to the LDAP server and use its service account for user authentication. The absence of this log message indicates there's a configuration issue.\n- `Successfully found an entry for the user in the database`: A user entry exists on the LDAP server. This implies that the `baseDN`, `filter`, and `loginAttribute` fields are configured correctly to retrieve users. This message is displayed only when the logging verbosity is above the default level. For more information on enabling logs, see [Enable the debug log](/kubernetes-engine/enterprise/identity/setup/user-access-troubleshooting#enable_the_debug_log).\n- `Attempting to BIND as the user to verify their credentials`: GKE Identity Service is attempting to verify user credentials.\n- `Successfully completed LDAP authentication`: User authentication is successful. The absence of this log message indicates invalid credentials.\n\nAuthentication token has expired\n\nDespite a successful login, you can run into issues where the authentication token has expired.\n\nError message\n\n`ERROR: You must be logged in to the server (Unauthorized)`\n\nSolution\n\nYou can resolve the issue by logging in again to the server.\n\nIssue with RBAC role binding to the user or group\n\nThis issue occurs when your authentication is successful but authorization fails\ndue to the absence of RBAC roles binding to the user or group. For instance, this\nissue persists when you try to issue the command `kubectl get pods`.\n\nError message\n\n`Error from server (Forbidden): \u003cSERVICE or PODS\u003e is forbidden: \u003cMORE DETAILS\u003e`\n\nSolution\n\nYou can resolve the issue by doing the following:\n\n1. Sign in to your LDAP server to view the target user's groups.\n2. Verify if your Kubernetes role and role bindings are defined correctly and match the values in your LDAP directory. An administrator can help verify the role bindings through Kubernetes [User Impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation).\n3. Update the role binding such that the target user's group is authorized to perform the required action.\n4. Verify that the values for `baseDN` and optionally the `filter` and `identifierAttribute` for groups are correct. GKE Identity Service uses the group configuration from these fields to query all groups that the user belongs to. If `baseDN` is empty, then no groups are provided to the Kubernetes API server. There are no messages logged in such a case. If `baseDN` is not empty, then GKE Identity Service queries the database for the user's groups.\n - If the query is successful, then the groups are provided to the Kubernetes API server.\n - If the query is unsuccessful, the groups are not provided to the Kubernetes API server. In this case, you need to fix the `baseDN` and `filter` configuration values for groups.\n\nUser belongs to multiple groups\n\nThis issue occurs when a user belongs to multiple groups.\n\nError message\n\n`could not obtain an STS token: STS token exceeds allowed size limit. Possibility of too many groups associated with the credentials provided.`\n\nSolution\n\nAs a cluster administrator, you need to configure the `filter` field in the ClientConfig to reduce the number of groups returned by the query to the LDAP server.\n\nVersion compatibility issue\n\nThis issue occurs when there is a version compatibility mismatch between GKE Identity Service and the installed Google Cloud CLI version.\n\nError message\n\n- `unable to parse STS Token Response`\n- `could not obtain an STS token: JSON parse error: The request was malformed.`\n- `could not obtain an STS token: Grant type must confirm that the request is intended for a token exchange.`\n- `could not obtain an STS token: Requested token type must correspond to an access token.`\n- `could not obtain an STS token: Subject token type must be a valid token type supported for token exchange.`\n\nSolution\n\nYou need to upgrade the gcloud utility and GKE Identity Service to the latest available version.\n\n401 authentication failed status code\n\nThis issue occurs when the Kubernetes API server is unable to authenticate the\nservice and returns a 401 error code.\n\nError message\n\n- `ERROR: LDAP login failed: STSToken() failed: could not obtain an STS token: Post \"https://127.0.0.1:15001/sts/v1beta/token\": DialContext() failed: podEndpoint() failed to obtain an endpoint for deployment anthos-identity-service/ais: Unauthorized`\n\n- `ERROR: Configuring Anthos authentication failed`\n\nSolution\n\nYou can resolve this issue in one of the following ways:\n\n- Check if the GKE Identity Service pod is in the `running` state by using the following command: \n\n ```yaml\n kubectl get pods -l k8s-app=ais -n anthos-identity-service --kubeconfig \u003cvar translate=\"no\"\u003eUSER_CLUSTER_KUBECONFIG\u003c/var\u003e\n ```\n- Check the LDAP configuration in the ClientConfig by using the following command: \n\n ```yaml\n kubectl get clientconfig -n kube-public -o jsonpath='{.items[].spec.authentication[].ldap}' --kubeconfig \u003cvar translate=\"no\"\u003eUSER_CLUSTER_KUBECONFIG\u003c/var\u003e\n ```\n- Review the logs for detailed information regarding the error. For more information on logging, see [Using logging and monitoring for system components](/anthos/clusters/docs/on-prem/latest/how-to/logging-and-monitoring)."]]