The basics

Troubleshooting

Most issues fall into a small set of buckets. Find the error code or symptom below for the fix.

Account connection issues

ASSUME_ROLE_FAILED

Access denied

IRIS attempted to assume the role in your AWS account but was denied. This is the most common issue after setup.

Check

The Principal ARN in the trust policy exactly matches the IRIS scanner ARN shown in Settings → Account Connections. Copy it fresh from the portal — do not type it manually.
The External ID in the trust policy matches the External ID shown in the portal. It must be in a StringEquals condition under sts:ExternalId.
The role name is correct and exists in the right AWS account.
The trust policy has been saved — in the AWS Console, click Update policy after making changes, not just Edit.

To fix

Go to Settings → Account Connections, click the account, and the setup wizard will show you the correct trust policy to use. Update the trust policy in IAM and click Retry verification.

MISSING_ROLE_ARN

No role configured

The account has been registered but no Role ARN has been entered.

To fix

Go to Settings → Account Connections, edit the account, and paste in the Role ARN from your IAM role.

MISSING_EXTERNAL_ID

No External ID

The role's trust policy does not include the External ID condition, or the External ID is wrong.

To fix

Open the trust policy in IAM and ensure the Condition block matches exactly what the portal shows.

SCAN_FAILED

Scan error

The role was assumed successfully but the scan encountered an error. This usually means the permissions policy is missing one or more required actions.

To fix

Re-attach the IrisReadOnlyPolicy using the JSON shown in the setup wizard and retry.

Dashboard shows no data

If the dashboard shows no cost data after connecting an account:

Check the account's region status in Settings → Account Connections — all regions should show Active.
Cost Explorer data can take up to 24 hours to appear in a newly created AWS account.
Make sure Cost Explorer is enabled in your AWS account — go to AWS Console → Billing → Cost Explorer and activate it if prompted.
The scanner must have run at least once. Check with your IRIS administrator that the backend scanner is running.

Verification failed during setup

If the verification step fails after registering an account:

The account is still registered — you can fix the role and retry later.
Go to Settings → Account Connections, find the account, and the status badge will show the specific error.
Fix the trust policy in IAM and use the Retry button in the verification step.

Live resource data not showing

Some resource detail pages support live data fetched directly via the API role. If live data is unavailable, a message will indicate that both the scanner role ARN and the API role ARN need to be added as principals in the IrisScannerRole trust policy. Go to Settings → Account Connections and follow the instructions in the API Access section to update your trust policy.

Ask IRIS not working

If you see a rate limit message, wait a moment and try again.
If the chat shows Failed to connect, the backend may be temporarily unavailable — refresh the page to try again.

Cost alerts or budget alerts not firing

Ensure the budget or cost alert is enabled (not paused).
Check that at least one alert email or webhook is configured.
Email alerts require AWS SES to be configured on the backend — contact your IRIS administrator if emails are not being received.
For webhooks, verify the URL is correct by testing it directly in Slack or Teams.

Still stuck?

Email support@irislabs.co.uk with your account ID and a description of the issue. We respond within one business day, often faster.