Troubleshooting common errors.

Cause

Trust policy points at the wrong Axiom AWS account, or the role doesn't exist.

Fix

Re-copy the trust policy from /operator/onboarding exactly. Confirm the role appears in IAM → Roles.

Cause

The External ID in your trust policy condition doesn't match what Axiom sends.

Fix

Re-paste the External ID from the onboarding screen. It must match character-for-character. If you rotated, re-onboard to get a fresh ID.

Cause

Clock skew on the role's account, or a permissions boundary blocks sts:AssumeRole.

Fix

Check the role has no Permissions Boundary that excludes sts:AssumeRole. Confirm AWS account-level clock is in sync.

Cause

JSON syntax error in the trust or permission policy.

Fix

Use AWS Console's built-in JSON validator. Common issues: trailing commas, missing quotes, copy-paste line breaks.

Cause

Role has no permission to describe resources in the selected regions, or the regions truly have no resources.

Fix

Run aws sts get-caller-identity --profile axiom-role in CloudShell to confirm assumption works. Try a region with known resources.

Cause

Specific service Describe permission missing, or service not available in the region.

Fix

Confirm the permission policy includes all Describe* actions for the service. Check service availability for the region in AWS docs.

Cause

Background worker is offline or queue is saturated.

Fix

Wait 60 seconds and refresh. If still queued, disconnect/reconnect the cloud account to retrigger.

Cause

Large account (thousands of resources) — normal. Or rate limiting from AWS.

Fix

Initial scans on accounts with 1000+ resources can take 10-15 minutes. Subsequent scans are incremental and complete in 1-3 minutes.

Cause

Plan affects more resources than the configured blast-radius threshold.

Fix

Split the plan into smaller phases. Or raise the blast-radius threshold in governance settings (requires approval).

Cause

Axiom can't construct a pre-verified rollback for at least one item.

Fix

Review the plan items — usually a missing AWS backup, snapshot, or version. Enable the missing capability and re-plan.

Cause

Plan items expire after 24 hours if not approved.

Fix

Re-run the scan to generate a fresh plan with current state. Approve within the window.

Cause

Network, AWS API throttling, or pre-flight condition changed between approval and apply.

Fix

Rollback fires automatically. Check audit log for the exact failure. Re-plan and re-approve.

Cause

Org-level OAuth restriction or missing scopes.

Fix

Confirm the GitHub App installation has 'Read access to actions, contents, deployments, metadata, pull requests'. Org admin may need to approve.

Cause

Connector connected but webhook delivery failing.

Fix

Check GitHub App → Advanced → Recent Deliveries for failure reason. Re-deliver from there to retry.

Cause

Not enough deployment history (< 5 deploys) to compute the trend.

Fix

Wait for additional deploys. Or import historical data from your CI/CD system.

Cause

No real activity yet — feed falls back to sample events for orientation.

Fix

Run your first scan. After the first scan, the feed automatically switches to live data and shows a 'Live data' badge in the footer.

Cause

Insufficient scan history to render trends.

Fix

At least 2-3 scans are needed to render trend lines. After a week of recurring scans, all charts populate fully.