Stay organized with collections
Save and categorize content based on your preferences.
This document gives troubleshooting guidance for issues you might encounter
during registration and connection.
Invalid configuration
If Google Cloud console cannot read the OIDC configuration from your
cluster, the LOGIN button is disabled.
Login URL not found
The following issue occurs when the Google Cloud console is not able to reach
the identity provider.
An attempt to log in gets redirected to a page with a "URL not found" error.
To resolve this issue:
If the identity provider is not reachable over the public internet, then you
need to enable the OIDC HTTP proxy to log in via Google Cloud console. In the
authentication.oidc section of your cluster configuration file, set
deployCloudConsoleProxyto true. If you have already created a cluster
and want to turn on the proxy, you can edit the ClientConfig custom resource
directly and set useHTTPProxy to true:
If the HTTP proxy is enabled and you are still seeing this error, there might
have been an issue with the proxy starting up. To get the logs of the proxy:
Note that even if your identity provider has a well-known CA, for the HTTP
proxy to start, you must provide a value for authentication.oidc.caPath in
your cluster configuration file.
If the authorization server prompts for consent, and you have not included
the extraparamprompt=consent, then you might see this error. Edit the
ClientConfig object, and add prompt=consent to extraparams:
If you have not done so already, try authenticating using the
Authentication Plugin for Anthos.
If you are seeing an authorization error logging in with the plugin as well,
then follow the
troubleshooting steps
to resolve the issue with the plugin. Then try logging in via the
Google Cloud console again.
In some cases, if settings are changed on storage service, you might need to
log out explicitly. In the Google Cloud console, go to the cluster details
page, and click Log out. Then try logging in again.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide offers troubleshooting steps for resolving registration and connection problems.\u003c/p\u003e\n"],["\u003cp\u003eA disabled \u003cstrong\u003eLOGIN\u003c/strong\u003e button in the Google Cloud console indicates that the OIDC configuration cannot be read from the cluster.\u003c/p\u003e\n"],["\u003cp\u003eA "URL not found" error during login suggests the Google Cloud console cannot reach the identity provider, which can be resolved by enabling the OIDC HTTP proxy.\u003c/p\u003e\n"],["\u003cp\u003eIf the proxy fails to start, it will need to be troubleshooted via logs using a provided command, in addition to the requirement of a value for \u003ccode\u003eauthentication.oidc.caPath\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eTo resolve a consent prompt error, add \u003ccode\u003eprompt=consent\u003c/code\u003e to \u003ccode\u003eextraparams\u003c/code\u003e in the ClientConfig object.\u003c/p\u003e\n"]]],[],null,["# Troubleshooting registration and connection\n\nThis document gives troubleshooting guidance for issues you might encounter\nduring registration and connection.\n\nInvalid configuration\n---------------------\n\nIf Google Cloud console cannot read the OIDC configuration from your\ncluster, the **LOGIN** button is disabled.\n\nLogin URL not found\n-------------------\n\nThe following issue occurs when the Google Cloud console is not able to reach\nthe identity provider.\n\nAn attempt to log in gets redirected to a page with a \"URL not found\" error.\n\nTo resolve this issue:\n\n1. If the identity provider is not reachable over the public internet, then you\n need to enable the OIDC HTTP proxy to log in via Google Cloud console. In the\n `authentication.oidc` section of your cluster configuration file, set\n `deployCloudConsoleProxy`to `true`. If you have already created a cluster\n and want to turn on the proxy, you can edit the ClientConfig custom resource\n directly and set `useHTTPProxy` to `true`:\n\n ```\n kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public\n ```\n2. If the HTTP proxy is enabled and you are still seeing this error, there might\n have been an issue with the proxy starting up. To get the logs of the proxy:\n\n ```\n kubectl --kubeconfig USER_CLUSTER_KUBECONFIG logs deployment/clientconfig-operator -n kube-system\n ```\n\n Note that even if your identity provider has a well-known CA, for the HTTP\n proxy to start, you must provide a value for `authentication.oidc.caPath` in\n your cluster configuration file.\n3. If the authorization server prompts for consent, and you have not included\n the `extraparam` `prompt=consent`, then you might see this error. Edit the\n ClientConfig object, and add `prompt=consent` to `extraparams`:\n\n ```\n kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public\n ```\n\n Then try logging in again.\n4. If you have not done so already, try authenticating using the\n [Authentication Plugin for Anthos](/anthos/clusters/docs/on-prem/1.7/how-to/oidc).\n If you are seeing an authorization error logging in with the plugin as well,\n then follow the\n [troubleshooting steps](/anthos/clusters/docs/on-prem/1.7/troubleshoot-identity-authorization)\n to resolve the issue with the plugin. Then try logging in via the\n Google Cloud console again.\n\n5. In some cases, if settings are changed on storage service, you might need to\n log out explicitly. In the Google Cloud console, go to the cluster details\n page, and click **Log out**. Then try logging in again."]]