Troubleshooting¶

Consolidated fixes across all clouds. Still stuck? Email contact@argmin.co with the failing command's output — onboarding is white-glove.

AWS¶

Symptom	Most likely cause
Argmin reports "AccessDenied" assuming the role	`external_id` mismatch — confirm with your onboarding contact.
Argmin reports CUR data is missing	CUR bucket name or prefix doesn't match `terraform.tfvars`.
Argmin reports Bedrock data is missing	`enable_bedrock_access = false`, or Bedrock invocation logging isn't enabled. See AWS docs.
`terraform apply` fails on `iam:CreateRole`	Caller lacks IAM admin. Run as a user with `IAMFullAccess` or equivalent.

Symptom	Most likely cause
"unauthorized_client" / "subject not allowed"	`wif_allowed_subjects` is missing the exact subject Argmin signs with. Exact-string, no wildcards.
BigQuery query returns empty	`billing_dataset_id` is set but the dataset doesn't exist or isn't the billing export. Check `bq ls`.
Vertex AI logs missing	Cloud Logging exclusion filters are dropping Vertex AI rows before the sink Argmin reads.
`terraform apply` fails creating the WIF pool	Caller lacks `roles/iam.workloadIdentityPoolAdmin`. Have an admin grant it, or apply from a CI runner that has it.

Symptom	Most likely cause
"AADSTS70021" / "no matching federated identity record"	`federated_credential_subject` mismatch — Argmin's signing subject doesn't match the module.
Cost Management returns empty	Tenant-scoped permissions for EA/CSP customers; ask Argmin whether your enrollment account ID must be added separately.
Azure OpenAI usage missing	Inference is going through APIM or an Event Hub; flip the matching `enable_*` flag and `terraform apply`.
`terraform apply` fails on `azuread_application`	Terraform principal lacks `Application.ReadWrite.OwnedBy`. Run as a Global Administrator or have an admin grant it.

What happened	Meaning	Do this
A read probe failed (`403`)	Permission gap — a granted role didn't actually apply	Re-check `terraform apply` succeeded; share the output with Argmin.
A write probe succeeded	Security finding — the identity has more than read access	Stop. Do not hand outputs to Argmin; contact your onboarding rep immediately.

Symptom	Cause
`401 Unauthorized`	Missing/invalid `Authorization: Bearer` or `X-API-Key`.
`422 Unprocessable Entity`	Payload failed schema validation. Check the required fields (`event_id`, `ingestion_layer`, `ingestion_timestamp`, `provider`, `requested_model`) and that `estimated_cost_usd` is a string.
Event accepted (`202`) but not in dashboard	Allow ~30s; confirm you're querying the same tenant/instance.

Symptom	Cause
Calls work but aren't attributed	The proxy records the call but has no identity hint — add the identity header your platform team configured.
Latency concern	The proxy is fail-open on a hard budget; if it's ever slow it forwards anyway. Report sustained latency to Argmin.