OpsCurb
Sign in
getting started

Troubleshooting

Resolve setup, scan, and AWS role issues without slowing the first accountability review.

6 min read
Updated 2026-03-08

Troubleshooting

On this page

"Failed to assume IAM role"

The most common cause is an External ID mismatch or the role not existing yet.

Check the role exists:

aws iam get-role --role-name opscurbRole

Check the External ID in the trust policy matches the value OpsCurb generated during onboarding or the most recent reconnect flow:

aws iam get-role --role-name opscurbRole --query 'Role.AssumeRolePolicyDocument'

If the role was connected a while ago and you no longer have the original value, reconnect that role in OpsCurb to reveal a new External ID and update the AWS trust policy.

The trust policy should look like:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID" }
    }
  }]
}

Also double-check the role ARN format: arn:aws:iam::YOUR_ACCOUNT_ID:role/opscurbRole

"Access Denied" during scan

Some scanners are failing silently due to missing permissions. Re-run the Terraform module to re-apply the latest policy — see the OpsCurb Terraform module for the complete IAM policy definition.

You can test specific permissions:

aws ec2 describe-volumes --max-results 1
aws rds describe-db-instances --max-records 1

Scan timed out or is taking forever

Usually happens with large infrastructure or AWS API throttling. Try reducing scanned regions in Settings → AWS Accounts → Edit, then retry. Also check status.aws.amazon.com for AWS-side incidents.

Scan shows 0 findings

Either your infrastructure is already clean (genuinely possible), filters are hiding results, or some scanners failed. Clear filters on the Findings page and review scan details for errors.

Dashboard won't load

Clear your browser cache first. If that doesn't work, try incognito mode or a different browser (we support Chrome, Firefox, Safari, Edge). Open the browser console (F12) and send any errors to support@opscurb.com.

Getting logged out frequently

Check that cookies are enabled for opscurb.com. Ad blockers and privacy extensions can sometimes interfere. Also make sure your system clock is accurate — JWT tokens are time-sensitive.

Not getting Slack notifications

Go to Settings → Slack Integration and click Send Test. If that fails, reconnect via OAuth and confirm your Slack app/webhook is still active in your workspace.

Not getting email notifications

Check your spam folder for emails from noreply@opscurb.com and add it to your safe senders list. Also verify your email address in Settings → Profile and check that email notifications are enabled in Settings → Notifications.

Jira tickets not being created

First confirm that the Jira integration is configured: Settings → Ticketing Integration → Jira. You need a valid Jira API token, your site URL (e.g. yourcompany.atlassian.net), and a default project key.

If the integration is configured but tickets still are not appearing:

  • Check that the Jira user whose API token you used has permission to create issues in the target project.
  • Confirm the project key in OpsCurb matches an existing Jira project (keys are case-sensitive).
  • If you have set an impact threshold, findings below that threshold will not create a ticket — check Settings → Ticketing Integration → Minimum monthly impact.
  • Check the finding detail panel for any error message on the linked-ticket field after assigning an owner.

Jira status not syncing back to OpsCurb

OpsCurb syncs Jira issue status in two ways: real-time via webhook, and once daily via a reconciliation job. If status is not updating in real time:

  • In Jira, go to Settings → System → WebHooks and confirm a webhook is registered pointing to the OpsCurb callback URL shown in Settings → Ticketing Integration → Jira.
  • Make sure the webhook is enabled and the Jira project is in scope.
  • The daily reconciliation job will catch anything the webhook misses — allow up to 24 hours if you have just set up the webhook.

Linear tickets not being created

Go to Settings → Ticketing Integration → Linear. You need a Linear API key and a default team ID. If tickets are not being created:

  • Confirm the API key has write access to the target team.
  • Check that the team ID in OpsCurb is correct — the team ID is the UUID shown in Linear under Settings → Teams, not the display name.
  • If you are using routing rules to send findings to different teams based on resource tags, confirm the tag key/value matches what is on the AWS resource. Routing rule mismatches fall back to the default team.

API returning 401

Your token is invalid or expired. Test it:

curl -H "Authorization: Bearer <YOUR_ACCESS_TOKEN>" \
  https://<your-backend>/api/ai/preferences

Make sure the Authorization header is exactly Bearer <YOUR_ACCESS_TOKEN> with a valid, non-expired token from your OpsCurb session.

API returning 429

You've hit a rate or usage limit. Check the Retry-After header (if present), back off, and retry. If this happens often, contact support to review your usage pattern and plan limits.

Payment failed

Retry checkout from the Pricing page with your intended plan. If payment still fails, your bank may be blocking the charge; contact support@opscurb.com and include the timestamp and plan you attempted.

Cost estimates don't match my AWS bill

Our estimates are directional and may differ from your bill due to Savings Plans, Reserved Instances, enterprise discounts, currency/tax, or timing windows. For exact billed amounts, compare in AWS Cost Explorer.

Resources missing from scan results

The resource may be in a region not included for that account (Settings → AWS Accounts → Edit), or it was created after the last scan. Run a fresh scan and check again.

Still stuck? Email support@opscurb.com with your account ID, a description of the issue, and any error messages.