Common issues and solutions for ops0 platform.
Symptoms: Integration test fails with access denied or insufficient permissions.
Solutions:
Verify the IAM role trust policy includes ops0's AWS account ID.
Check the external ID matches what ops0 shows.
Ensure Workload Identity Federation is configured correctly.
Verify the service principal has the Contributor role.
Symptoms: Unable to log in via SSO, redirect loop, or error page.
Solutions:
| Check | Solution |
|---|---|
| SSO provider configuration | Verify ACS URL and Entity ID match ops0 settings |
| Certificate expiration | Update SAML certificate if expired |
| User provisioning | Ensure user exists in both SSO provider and ops0 |
| Browser cookies | Clear cookies and try again |
Symptoms: Project fails to initialize, missing providers.
Solutions:
Ensure your required_providers block is valid:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
Symptoms: Can't run plan or apply, state is locked.
Solutions:
Symptoms: Plan shows changes even though you didn't modify anything.
Common causes:
| Cause | Solution |
|---|---|
| Drift | Someone changed resources manually in the console |
| Provider upgrade | New provider version changed default values |
| State refresh | Cloud API returned different values |
Run Drift Detection to see what changed and decide whether to update code or revert the change.
Symptoms: Cluster shows disconnected, no pod data.
Solutions:
kubectl get pods -n ops0
kubectl logs -n ops0 -l app=ops0-agent
Ensure connectivity from the agent to the ops0 control plane endpoint used by brew.ops0.ai over port 443.
Check for network policies blocking egress.
Symptoms: ops0 agent pod keeps restarting.
Solutions:
kubectl logs -n ops0 -l app=ops0-agent --previouskubectl auth can-i list pods --as=system:serviceaccount:ops0:ops0-agentSymptoms: Workflow won't start, shows pending forever.
Solutions:
| Check | Solution |
|---|---|
| Trigger condition | Verify trigger event actually occurred |
| Approval step | Check if workflow is waiting for approval |
| Resource limits | ops0 may be rate-limiting concurrent workflows |
Symptoms: Approval step reached but no Slack/email notification.
Solutions:
Symptoms: Policy fails on every deployment, even compliant ones.
Solutions:
Use the policy editor's "Test" feature with sample input to debug.
Example: Use aws_s3_bucket, not aws_s3.
Click "View Input" in a failed policy check to see the actual JSON being evaluated.
Symptoms: ops0 not posting plan results to pull requests.
Solutions:
Symptoms: Push/pull fails with merge conflicts.
Solutions:
Symptoms: Files not syncing, merge request creation fails.
Solutions:
| Check | Solution |
|---|---|
| Token type | Use a Personal, Group, or Project Access Token with api scope |
| Token expiration | Regenerate if expired |
| Self-hosted URL | Verify the GitLab instance URL is correct in integration settings |
| Repository access | Ensure the token has access to the target repository |
Symptoms: Enabling Oxid on a project fails during initialization.
Solutions:
postgres:// or postgresql://)Symptoms: SQL queries return empty results despite having deployed resources.
Solutions:
Your cloud integration credentials are invalid or expired. Go to Settings → Integrations and re-authenticate.
Another deployment is in progress for this project. Wait for it to complete or cancel it if stuck.
Your changes violate a blocking policy. Review the violation details and fix your code before deploying.
ops0 can't connect to your Kubernetes cluster. Check that the agent is running and can reach the internet.
You've hit API rate limits with your cloud provider. Wait a few minutes and retry, or request limit increases.
If you can't resolve an issue:
Use the company site for contact and product context.
Go directly to the ops0 workspace.
When contacting support, include: