This document gives troubleshooting guidance for issues you might encounter
during registration and connection.
Invalid configuration
If Google Cloud console cannot read the OIDC configuration from your
cluster, the LOGIN button is disabled.
Login URL not found
The following issue occurs when the Google Cloud console is not able to reach
the identity provider.
An attempt to log in gets redirected to a page with a "URL not found" error.
To resolve this issue:
If the identity provider is not reachable over the public internet, then you
need to enable the OIDC HTTP proxy to log in via Google Cloud console. In the
authentication.oidc section of your cluster configuration file, set
deployCloudConsoleProxyto true. If you have already created a cluster
and want to turn on the proxy, you can edit the ClientConfig custom resource
directly and set useHTTPProxy to true:
If the HTTP proxy is enabled and you are still seeing this error, there might
have been an issue with the proxy starting up. To get the logs of the proxy:
Note that even if your identity provider has a well-known CA, for the HTTP
proxy to start, you must provide a value for authentication.oidc.caPath in
your cluster configuration file.
If the authorization server prompts for consent, and you have not included
the extraparamprompt=consent, then you might see this error. Edit the
ClientConfig object, and add prompt=consent to extraparams:
If you have not done so already, try authenticating using the
Authentication Plugin for Anthos.
If you are seeing an authorization error logging in with the plugin as well,
then follow the
troubleshooting steps
to resolve the issue with the plugin. Then try logging in via the
Google Cloud console again.
In some cases, if settings are changed on storage service, you might need to
log out explicitly. In the Google Cloud console, go to the cluster details
page, and click Log out. Then try logging in again.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide offers troubleshooting steps for registration and connection problems within the Google Cloud console.\u003c/p\u003e\n"],["\u003cp\u003eA disabled "LOGIN" button indicates that the Google Cloud console is unable to read the OIDC configuration from the cluster.\u003c/p\u003e\n"],["\u003cp\u003eA "URL not found" error during login usually means the Google Cloud console cannot reach the identity provider, and may require enabling the OIDC HTTP proxy or reviewing proxy logs.\u003c/p\u003e\n"],["\u003cp\u003eIf the authorization server requires consent, it might be necessary to edit the ClientConfig object and add \u003ccode\u003eprompt=consent\u003c/code\u003e to the \u003ccode\u003eextraparams\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eExplicit logout from the cluster details page within the Google Cloud console may resolve issues caused by changes to storage service settings.\u003c/p\u003e\n"]]],[],null,["# Troubleshooting registration and connection\n\n\u003cbr /\u003e\n\nThis document gives troubleshooting guidance for issues you might encounter\nduring registration and connection.\n\nInvalid configuration\n---------------------\n\nIf Google Cloud console cannot read the OIDC configuration from your\ncluster, the **LOGIN** button is disabled.\n\nLogin URL not found\n-------------------\n\nThe following issue occurs when the Google Cloud console is not able to reach\nthe identity provider.\n\nAn attempt to log in gets redirected to a page with a \"URL not found\" error.\n\nTo resolve this issue:\n\n1. If the identity provider is not reachable over the public internet, then you\n need to enable the OIDC HTTP proxy to log in via Google Cloud console. In the\n `authentication.oidc` section of your cluster configuration file, set\n `deployCloudConsoleProxy`to `true`. If you have already created a cluster\n and want to turn on the proxy, you can edit the ClientConfig custom resource\n directly and set `useHTTPProxy` to `true`:\n\n ```\n kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public\n ```\n2. If the HTTP proxy is enabled and you are still seeing this error, there might\n have been an issue with the proxy starting up. To get the logs of the proxy:\n\n ```\n kubectl --kubeconfig USER_CLUSTER_KUBECONFIG logs deployment/clientconfig-operator -n kube-system\n ```\n\n Note that even if your identity provider has a well-known CA, for the HTTP\n proxy to start, you must provide a value for `authentication.oidc.caPath` in\n your cluster configuration file.\n3. If the authorization server prompts for consent, and you have not included\n the `extraparam` `prompt=consent`, then you might see this error. Edit the\n ClientConfig object, and add `prompt=consent` to `extraparams`:\n\n ```\n kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public\n ```\n\n Then try logging in again.\n4. If you have not done so already, try authenticating using the\n [Authentication Plugin for Anthos](/anthos/clusters/docs/on-prem/1.11/how-to/oidc).\n If you are seeing an authorization error logging in with the plugin as well,\n then follow the\n [troubleshooting steps](/anthos/clusters/docs/on-prem/1.11/troubleshoot-identity-authorization)\n to resolve the issue with the plugin. Then try logging in via the\n Google Cloud console again.\n\n5. In some cases, if settings are changed on storage service, you might need to\n log out explicitly. In the Google Cloud console, go to the cluster details\n page, and click **Log out**. Then try logging in again."]]
