Cloud Permission Denied Playbook
Who this is for
Users whose cloud account shows an error status, or who are seeing permission-denied errors when provisioning servers, creating snapshots, or running cloud API operations.
Cloud Account Status Values
| Status | Meaning |
|---|---|
active | Credentials are valid and all required permissions are confirmed |
error | Credentials are invalid, expired, or missing required permissions |
disconnected | Cloud account was intentionally disconnected |
Step 1 — Check the Cloud Account Status
- Go to Cloud Accounts in the sidebar.
- Find the account that is failing.
- Check the status badge and the Last checked timestamp.
- Click the account to see the detailed error message.
Provider-Specific Playbooks
AWS — Permission Denied
CloudAIPilot uses IAM role assumption (STS AssumeRole) to access your AWS account. Required setup:
- An IAM role in your account with a trust policy allowing CloudAIPilot to assume it.
- The role must have the required permissions (EC2, Route53, Cost Explorer for FinOps).
Common causes:
- Trust policy does not allow CloudAIPilot's AWS account ID.
- External ID in the trust policy does not match the external ID in CloudAIPilot.
- Role ARN was changed or the role was deleted.
- Required policies were removed from the role.
Fix:
- Go to AWS IAM → Roles → Find your CloudAIPilot role.
- Verify the trust policy includes the correct CloudAIPilot account ID and external ID.
- Verify the required policies are attached.
- In CloudAIPilot: go to the cloud account → Reconnect and re-enter the role ARN and external ID.
See KB-01-01: Connect AWS Account for the full setup guide.
GCP — Permission Denied
CloudAIPilot uses a service account JSON key to access GCP. Required setup:
- A service account with appropriate roles (Compute Admin, Service Account User, etc.).
- The JSON key file must be valid and not expired.
Common causes:
- Service account was deleted or disabled.
- The JSON key was revoked.
- Required roles were removed from the service account.
- Wrong project ID.
Fix:
- Go to GCP Console → IAM → Service Accounts.
- Find the service account used for CloudAIPilot.
- Verify it is active and has required roles.
- Generate a new JSON key if needed.
- In CloudAIPilot: update the cloud account with the new JSON key.
See KB-01-02: Connect GCP Account.
Azure — Permission Denied
CloudAIPilot uses service principal credentials (tenantId, clientId, clientSecret, subscriptionId). Required setup:
- An Azure App Registration with a client secret.
- The service principal must have Contributor role on the subscription.
Common causes:
- Client secret expired (Azure secrets have configurable expiry, often 1–2 years).
- Contributor role was removed.
- App registration was deleted.
- Wrong subscription ID.
Fix:
- Go to Azure Portal → App Registrations → Find your CloudAIPilot app.
- Under Certificates & secrets: check if the secret has expired. Create a new secret if needed.
- Verify the service principal still has the Contributor role under the subscription's Access control (IAM).
- In CloudAIPilot: update the cloud account with the new client secret.
See KB-01-03: Connect Azure Account.
DigitalOcean — Permission Denied
CloudAIPilot uses a Personal Access Token with read+write scope.
Common causes:
- Token was deleted or expired.
- Token was created with read-only scope.
Fix:
- Go to DigitalOcean → API → Personal Access Tokens.
- Delete the old token and generate a new token with read and write permissions.
- In CloudAIPilot: update the cloud account with the new token.
See KB-01-04: Connect DigitalOcean Account.
Step 2 — Reconnect the Cloud Account
After fixing credentials at the provider:
- Go to Cloud Accounts → open the account.
- Click Reconnect (or Edit).
- Enter the new credentials.
- Click Save and Test.
CloudAIPilot runs a connectivity test. Status should change to active within a few seconds.
Related Articles
- KB-01-05: Verify Permissions and Fix IAM/RBAC Issues
- KB-01-06: Reconnect or Rotate Credentials Safely
- KB-01-08: Cloud Account Health Checks