This document describes how to resolve common Authentication using Agent Identity with auth manager errors.
Redirect URI mismatch
If you receive a redirect URI mismatch error from the third-party application
during the OAuth flow, ensure that the redirect URI registered in the
third-party developer portal exactly matches the URI generated by the
auth manager.
To resolve this issue, find the generated redirect URI by viewing the auth provider
details in the Cloud de Confiance console or run the following gcloud command:
gcloud alpha agent-identity connectors describeAUTH_PROVIDER_NAME\ --location="LOCATION"
Missing user role
If your agent can't use the auth provider, verify that the agent identity
has the roles/iamconnectors.user role on the auth provider resource.
To resolve this issue, grant the role using the Cloud de Confiance console or run the add-iam-policy-binding command.
Issuer endpoint issues
For OIDC providers, verify that the issuer endpoint is publicly accessible and
supports the .well-known/openid-configuration discovery document.
If Cloud de Confiance can't fetch the OIDC metadata or JWKS, ensure that the endpoint isn't behind a firewall or restricted network.
401 UNAUTHENTICATED error
If your agent can't authenticate, the following error might occur. This error is typically caused by a Google-managed Context-Aware Access policy that enforces mTLS binding and DPoP cryptographic proofs:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
To resolve this error, you can opt out of the default Context-Aware Access policy when you have specific token-sharing requirements or must inject the token directly in the header. To opt out, set the following environment variable when you deploy your agent:
config={ "env_vars": { "GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES": False, } }
API key service blocked (API_KEY_SERVICE_BLOCKED)
If you validate your API key, the following error might occur. This error indicates that the service is blocked:
"details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "API_KEY_SERVICE_BLOCKED", "domain": "googleapis.com", "metadata": { "methodName": "google.cloud.translate.v2.TranslateService.TranslateText", "service": "translate.googleapis.com", "consumer": "projects/PROJECT_NUMBER", "apiName": "translate" } }, { "@type": "type.googleapis.com/google.rpc.LocalizedMessage", "locale": "en-US", "message": "Requests to this API translate method google.cloud.translate.v2.TranslateService.TranslateText are blocked." } ]
This error occurs because the target API service (for example, Cloud Translation API) hasn't been enabled in your Cloud de Confiance project, or the API key's restrictions don't allow access to this service.
To resolve this error, perform these steps:
- In the Cloud de Confiance console, go to the APIs & Services >Library page and ensure the target API is enabled.
- In the Cloud de Confiance console, go to the APIs & Services >Credentials page, edit your API key, and verify that its API restrictions allow access to the service.
Invalid API key (API_KEY_INVALID)
When sending requests to a third-party service, the following error might occur. This error indicates that the API key is invalid:
"details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "API_KEY_INVALID", "domain": "googleapis.com", "metadata": { "service": "translate.googleapis.com" } }, { "@type": "type.googleapis.com/google.rpc.LocalizedMessage", "locale": "en-US", "message": "API key not valid. Please pass a valid API key." } ]
This error occurs because the API key string passed in your request header is incorrect, malformed, or doesn't exist in your project credentials.
To resolve this error, verify that you copied the correct API key string from the Credentials page in the Cloud de Confiance console and that no leading or trailing whitespace was included.
Permission denied retrieving credentials (iamconnectors.connectors.retrieveCredentials)
When running adk web locally or interacting with your deployed agent, the following 403 Forbidden error might occur:
google.api_core.exceptions.Forbidden: 403 POST https://iamconnectorcredentials.mtls.googleapis.com/v1alpha/projects/PROJECT_ID/locations/LOCATION/connectors/AUTH_PROVIDER_NAME/credentials:retrieve?%24alt=json%3Benum-encoding%3Dint: Permission 'iamconnectors.connectors.retrieveCredentials' denied on resource '//iamconnectors.googleapis.com/projects/PROJECT_ID/locations/LOCATION/connectors/AUTH_PROVIDER_NAME' (or it may not exist).
This error occurs because the principal attempting to invoke the auth provider doesn't have the required IAM permissions to retrieve credentials.
To resolve this error, grant the Connector User (roles/iamconnectors.user) role to the principal:
- If this error occurs during local development (
uv run adk weboruvicorn), ensure that you have granted the role to your personal user account (user:USER_EMAIL). - If this error occurs when interacting with a deployed agent, ensure that you have granted the role to your agent's SPIFFE ID principal (
principal://agents.global.org-ORGANIZATION_ID.system.id.goog/resources/aiplatform/projects/PROJECT_NUMBER/locations/LOCATION/reasoningEngines/ENGINE_ID).
Generic deployment failure
When deploying your agent using uv run adk deploy, the command might fail with a generic error message.
This error occurs because of missing Python dependencies, syntax errors in agent.py, or misconfigured environment variables.
To resolve this error, do the following:
- Open the Cloud de Confiance console and go to the Logs Explorer page.
- Search for the temporary deployment container logs (for example,
maps_mcp_agent_tmp...orbigquery_mcp_agent_tmp...). - Check the Python traceback to identify the syntax error or trace missing packages.
- Ensure that all required packages are listed in your
requirements.txtfile.