Skip to main content

Credential Issues

Admin Only

Cloud credentials are managed by organization administrators.

This guide covers common problems with cloud credentials and how to resolve them.

Understanding Credential Status

Navigate to Credentials under the Admin section in the sidebar. Each credential shows a status indicator:

  • Valid (green) — Credential verified and working
  • Invalid (red) — Verification failed
  • Unverified (gray) — Not yet checked

When a credential is created, EntryGuard verifies it asynchronously by contacting the cloud provider. The status updates automatically within a few seconds.

Credential Shows "Invalid"

What you see: A credential's status column shows Invalid (red) in the credentials table.

Common causes and solutions:

1. Access Key Rotated or Deleted

The AWS access key has been rotated or deleted in IAM.

Resolution:

  1. Create a new access key in the AWS IAM Console
  2. In EntryGuard, navigate to Credentials and delete the old credential
  3. Click Add Credential and enter the new access key details
  4. Reassign the affected resources to the new credential

2. IAM Policy Too Restrictive

The IAM user lacks required permissions for EntryGuard to verify itself.

Resolution:

  1. Navigate to IAM Policy under the Admin section in EntryGuard
  2. Copy the generated policy
  3. Attach this policy to the IAM user in AWS IAM Console
  4. Wait a few minutes for AWS to propagate the changes
  5. Delete and recreate the credential in EntryGuard to trigger re-verification

3. Region Mismatch

The credential's region doesn't match the region of the resources it's assigned to.

Symptoms: Resources show errors like "The security group does not exist" even though the security group exists in AWS.

Resolution:

  1. Verify which AWS region your security groups are in
  2. Delete the credential and recreate it with the correct region
  3. Create separate credentials for each region if managing multi-region infrastructure

4. IAM User Disabled or Deleted

The IAM user has been deactivated or removed from AWS.

Resolution:

  1. Check the IAM user status in AWS Console
  2. If deleted, create a new IAM user with the required permissions
  3. Generate new access keys for the user
  4. Create a new credential in EntryGuard

Required IAM Permissions

The IAM user associated with your credential needs these permissions:

  • ec2:AuthorizeSecurityGroupIngress — Add IP rules to security groups
  • ec2:RevokeSecurityGroupIngress — Remove IP rules from security groups
  • ec2:DescribeSecurityGroups — Verify security group existence
  • sts:GetCallerIdentity — Verify credential identity
tip

Use the IAM Policy page under the Admin section to generate the correct policy automatically. It includes only the security groups you've registered as resources.

Re-Verifying a Credential

Credentials are verified automatically when created. To re-verify after fixing an issue:

  1. Navigate to Credentials under the Admin section
  2. Delete the invalid credential (click the trash icon)
  3. Click Add Credential and enter the same (or updated) details
  4. The new credential will be verified automatically

Alternatively, you can verify individual resources:

  1. Navigate to Resources under the Admin section
  2. Click Verify capacity on a resource to test its credential and connectivity

Credential Works in AWS But Not EntryGuard

What you see: You can use the IAM user in the AWS Console, but the credential shows Invalid in EntryGuard.

Why this happens: AWS Console access uses different permissions than programmatic (API) access. The IAM user may have console login permissions but lack API access keys or EC2 API permissions.

Resolution:

  1. In AWS IAM Console, navigate to the user's Security credentials tab
  2. Ensure at least one Access key is active
  3. Verify you're using the correct Access Key ID and Secret Access Key (not the console password)
  4. Attach the required IAM permissions listed above
tip

To test credentials independently, use the AWS CLI:

aws sts get-caller-identity
aws ec2 describe-security-groups --group-ids sg-abc123

If these commands fail, the credentials or permissions need to be fixed in AWS first.

Multiple Credentials

You can create multiple credentials for the same cloud provider. This is useful for:

  • Multi-region deployments — One credential per AWS region
  • Environment separation — Separate credentials for dev, staging, and production
  • Team isolation — Different credentials for different projects

Best practice: Use clear, descriptive names like "AWS Production (us-east-1)" or "AWS Dev (eu-west-1)".

Getting Help

If you've tried the solutions above and are still experiencing credential issues:

  1. Check the error details — The credential status tooltip or verification error gives specific information about what failed
  2. Check audit logs — Navigate to Audit Logs under the Admin section and filter by credential-related events
  3. Test independently — Use the AWS CLI with the same credentials to verify they work outside EntryGuard
  4. Contact support at [email protected] with the credential name, provider, and error message

API Reference: For programmatic access, see List Credentials.