Appliance Logs
title: “Troubleshooting” description: “Troubleshooting issues” lead: "" date: 2023-06-12T12:20:59-06:00 lastmod: 2023-06-12T12:20:59-06:00 draft: false images: [] menu: docs: parent: “help” weight: 502 toc: true
Appliance Logs
The Trimble Access Management team can monitor appliance health as metrics and logs regarding the appliance will be forwarded to the Trimble Access Management team. You can also determine health by inspecting the health endpoint or logs that are JSON formatted to stdout on your running appliance container.
Server Error Codes
When calling a server API, you may receive an ErrorResponse with a Request ID and error message as part of an error. This can help the Trimble Access Management team triage your issue and provide better guidance when contacting them.
Scope of This Guide
Use this page to triage TAM Appliance incidents across these deployment modes:
- Main appliance runtime
- Appliance extension runtime
- Embedded runtime
- Offline and restricted-network (including gov cloud style) runtime
This guide consolidates common failures and recovery actions so you can diagnose quickly without switching between mode-specific troubleshooting files.
Quick Triage Workflow
- Confirm deployment mode and runtime state (process/container up, restart history, recent config changes).
- Check readiness (
GET /health/readyz) when available and collect a short log window around the first failure. - Match the error text to an issue in the lookup table below.
- Apply category recovery steps (startup, auth, bundle, or decision).
- If unresolved, collect the escalation package in Incident and Escalation Checklist.
Health Check by Deployment Mode
| Mode | Fast checks |
|---|---|
| Main appliance | Process/container running; /health/readyz healthy; ENVIRONMENT, CLIENT_ID, CLIENT_SECRET, API_PORT set; bundle endpoint reachable. |
| Extension runtime | Extension process running; health endpoint reachable where exposed; CLIENT_ID and CLIENT_SECRET valid; bundle source reachable. |
| Embedded runtime | Host process running; policy engine initialized; authorization header forwarding in place; decision payload shape valid. |
| Offline / gov cloud | OFFLINE_MODE=true; BUNDLE_PATH readable and points to .tar.gz; readiness healthy; no bundle status errors in logs. |
If needed, set LOG_LEVEL=debug, restart, and retest to capture high-value diagnostics.
Unified Error Lookup
Use this section to quickly map log text to root-cause category and affected mode.
| Error text to search | Category | Applies to |
|---|---|---|
| client credentials are not configured | Startup/config | Main, Offline |
| invalid_client | Startup/config | Main, Extension, Offline |
| Token generation failed for provided scopes | Startup/config | Main, Extension, Offline |
| Cannot launch API server - API listening port is not set via API_PORT env var | Startup/config | Main |
| policy engine not initialized yet | Startup/config | Main, Embedded |
| unable to load the bundle in the provided path | Bundle | Main, Extension, Offline |
| Provided path is not a .tar.gz file | Bundle | Main, Extension, Offline |
| Found errors in policy engine status update | Bundle | Main, Extension, Offline |
| Local bundle is outdated | Bundle | Offline |
| request is missing authorization header | Authentication | Main, Extension, Embedded, Offline |
| request header is missing bearer token | Authentication | Main, Extension, Embedded, Offline |
| JSONParseError | Decision/policy | Main, Extension, Embedded, Offline |
| UndefinedDecisionError | Decision/policy | Main, Offline |
| RegoBuiltinError | Decision/policy | Main, Extension, Offline |
| RegoEvaluationError | Decision/policy | Main, Extension, Embedded, Offline |
| OPA Decision Result is an error | Decision/policy | Main, Extension, Offline |
| Server Panic | Runtime/fatal | Main, Extension, Offline |
Detailed Resolution by Category
Startup and Configuration
Missing or invalid client credentials
Symptoms:
- Startup fails quickly, or token request returns
invalid_client.
Recovery:
- Verify
CLIENT_IDandCLIENT_SECRETare present and mapped to the correct tenant/environment. - Rotate credentials if they were revoked or expired.
- Restart the runtime and verify readiness.
Scope configuration failure
Symptoms:
- Startup or registration flow reports token generation failures for provided scopes.
Recovery:
- Validate scope metadata from package registration or cached registration data.
- Correct invalid scope values and retry registration/startup.
API port missing (main mode)
Symptoms:
- API server fails to launch with
API_PORTnot set.
Recovery:
- Set
API_PORTto a valid, free port. - Restart and confirm the service binds successfully.
Policy engine not ready
Symptoms:
- Requests fail while engine initialization is still in progress.
Recovery:
- Wait for initial policy/bundle load to complete.
- Check logs for bundle activation failures before retrying decisions.
Bundle and Policy Artifact
Invalid or unreadable bundle path
Symptoms:
- Runtime reports it cannot load a bundle from
BUNDLE_PATH.
Recovery:
- Ensure
BUNDLE_PATHpoints to an existing readable file. - Validate runtime filesystem permissions.
- Restart and confirm bundle load success.
Invalid bundle format
Symptoms:
- Startup or activation fails with bundle format errors.
Recovery:
- Replace the artifact with a valid
.tar.gzbundle. - Restart and verify policy engine status.
Bundle status update contains errors
Symptoms:
- Periodic status logs report bundle or activation errors.
Recovery:
- Inspect bundle status message payloads for exact failure reason.
- Validate endpoint reachability and artifact integrity.
- Retry until status is healthy and decisions recover.
Local bundle drift (offline mode)
Symptoms:
- Decisions behave unexpectedly with an outdated local artifact.
Recovery:
- Replace local bundle with the approved current artifact.
- Restart and re-validate expected decisions.
Authentication
Missing authorization header
Recovery:
- Ensure callers send the
Authorizationheader for protected endpoints.
Missing bearer token
Recovery:
- Ensure header format is
Authorization: Bearer <token>.
Decision and Policy Evaluation
JSON parse failure
Symptoms:
JSONParseErrorduring request handling.
Recovery:
- Validate request JSON syntax and schema.
- Re-test with a minimal known-good payload.
Undefined decision
Symptoms:
UndefinedDecisionErrorfor expected rule path.
Recovery:
- Verify namespace and rule path.
- Confirm active bundle contains the expected policy package/rule.
Rego builtin or evaluation failures
Symptoms:
RegoBuiltinErrororRegoEvaluationErrorin decision logs.
Recovery:
- Validate policy inputs and upstream dependency values.
- Review recent policy changes for invalid assumptions or type mismatches.
- Re-run with captured input to isolate policy logic issues.
OPA decision result error
Symptoms:
OPA Decision Result is an errorin runtime logs.
Recovery:
- Capture decision input, policy version, and OPA log context.
- Correlate with bundle activation and policy evaluation logs.
Runtime and Fatal Errors
Server panic
Recovery:
- Capture stack trace, request context, and approximate first-seen UTC time.
- Escalate immediately with the incident package.
Mode-Specific Notes
- Main mode:
API_PORTconfiguration and API server binding errors are main-runtime specific. - Extension mode: startup failures often surface around extension initialization and runtime config handoff.
- Embedded mode: focus on host process lifecycle and policy engine readiness before request troubleshooting.
- Offline mode: validate
OFFLINE_MODE=trueand local bundle quality first, then treat auth/decision errors as normal policy-path triage.
Incident and Escalation Checklist
Collect this information before contacting support or escalating to engineering:
- Error text and mapped category (from Unified Error Lookup).
- UTC timestamp and impact scope.
- Exact reproduction steps.
- Redacted logs around the failure window.
- Deployment mode and environment tuple values:
OFFLINE_MODE,DISABLE_REPORTING,BUNDLE_PATH,ENVIRONMENT,API_PORT.
- Actions already attempted and outcomes.
Escalate immediately for:
- Any server panic.
- Repeated undefined decisions after policy verification.
- Persistent bundle activation/status failures that block readiness.