Harvesting Failure Messages
Common Harvesting Failure Messages and Details on What They Mean
The page provides descriptions of common failure messages associated with Harvesting. Within InsightCloudSec, the field "Failure Context" provides messages that point to different reasons behind harvest failures, which normally have different solutions to achieve a successful harvest. Sometimes the same message can have a different meaning depending on the cloud type.
Harvesting Failure Context, or failure messages, are available under the individual cloud detail pages.
From the main navigation under "Cloud --> Clouds" select your cloud account from the Listing page, and then select the "Harvest Info" section.
Messages about failures appear under the "Failure Context" column, as shown in the example above.
For assistance with any of the issues outlined below, reach out to us through the Customer Support Portal.
Failure Context Details
An issue with assuming the role. For AWS, this message could apply to instance assume role or STS assume role.
- AWS: Confirm that the role you are assuming has an assume role/STS policy attached. Confirm that your ARN is correct. Confirm that your external ID, if you have one, is correct.
The credentials used to add the cloud account are no longer valid.
- AWS: It is possible that the external ID used in your trust relationship has been changed. It is also possible that long-term API credentials, which are deprecated, have been deactivated or are expired.
The resource has been disabled locally and will no longer attempt to harvest.
- If you wish to resume harvesting the resource, change its setting on the Cloud Listing page under Disabled Resources.
The harvest failure is likely due to an operational or code issue.
- Try to manually enqueue the harvest and confirm that the attempt either succeeds or fails. If it fails again, submit a trouble ticket so we can investigate further with you.
The harvest failure is due to an issue at the remote end of the API call.
- Either let the next scheduled harvest run or try to manually enqueue the harvest and confirm that the attempt either succeeds or fails. If it fails again, then the provider may be experiencing longer-term technical issues.
The harvest API call has been declined by the provider because the customer has reached the limit of API calls the provider will accept from the customer during that window of time.
- Rate limits are customer-based, not product-based, so the issue may be due to API calls made outside of InsightCloudSec.
- To reduce the number of API calls InsightCloudSec makes, consider enabling Event-Driven Harvesting, which makes resource-specific calls based upon specific events, or updating your Harvesting Strategy to reduce the frequency of API calls.
- Read more about Event-Driven Harvesting on the Harvesting Overview page.
The harvest API call did not complete in time.
- Either let the next scheduled harvest run or try to manually enqueue the harvest and confirm that the attempt either succeeds or fails. If it fails again, then the provider may be experiencing technical issues similar to PROVIDER_ERROR.
The harvest failure is due to invalid permissions related to that API call.
- AWS: Make sure that the role you are using to harvest resources has the necessary permissions. The easiest way to confirm appropriate permissions are in place is check the Visibility status on the Cloud Listing page.
- You may need to rescan to validate current permissions. If the status is green, then please contact support as a required permission may be missing from our documentation. If status is yellow, then it should specify the missing permissions.
UNAUTHORIZED SCP (AWS-Only)
The harvest failure is due to a Service Control Policy that is explicitly denying permission for the API call.
- Review any Service Control Policies that are in effect for the impacted account to look for policies that may be denying access and update them as desired to add access.
Updated about 1 year ago