Quick answers to common errors. Jump to your error:
- Error: Must specify either --region or --all-regions for AWS
- Error: --provider is required
- Permission error / exit code 3
- Error parsing cleancloud.yaml
- Unknown config fields / rule ID typo
- scan.regions must be 'auto' or a list
- findings appear even though I added an exception
- CI exits 2 even though findings look suppressed
- cleancloud doctor says credentials missing
- zero findings but I know resources are idle
- scan is very slow
Error: Must specify either --region or --all-regions for AWS.
Cause: AWS scans require a region scope. Unlike Azure/GCP, AWS APIs are regional and CleanCloud won't guess.
Fix — scan all active regions:
cleancloud scan --provider aws --all-regionsFix — scan one region:
cleancloud scan --provider aws --region us-east-1Fix — set a default in config (so you can run cleancloud scan with no flags):
# cleancloud.yaml
scan:
provider: aws
regions: auto # equivalent to --all-regionsError: --provider is required (or set scan.provider in cleancloud.yaml)
Fix — pass it on the command line:
cleancloud scan --provider aws --all-regionsFix — set a default in config:
# cleancloud.yaml
scan:
provider: awsPermission error: ...
or exit code 3.
What it means: CleanCloud ran but couldn't complete the scan due to missing IAM/RBAC permissions.
Fix — check what's missing:
cleancloud doctor --provider aws
cleancloud doctor --provider azure
cleancloud doctor --provider gcpDoctor lists every permission checked and highlights the ones that are missing. It also prints the IAM policy you can paste directly into AWS, Azure, or GCP.
Docs:
Error parsing cleancloud.yaml: ...
Cause: The file has invalid YAML syntax (tabs instead of spaces, missing quotes, wrong indentation).
Fix: Run the file through a YAML linter:
python3 -c "import yaml; yaml.safe_load(open('cleancloud.yaml'))" && echo "OK"Common mistakes:
| Wrong | Right |
|---|---|
| Indented with tabs | Use 2 spaces |
reason: Bastion — started on demand |
reason: "Bastion — started on demand" (quote strings with special chars) |
expires_at: 2026-12-31 |
expires_at: "2026-12-31" (quote dates) |
Error in cleancloud.yaml: Unknown config fields: {'rulez'}
or
Unknown rule ID 'aws.rds.instnace.idle' (did you mean 'aws.rds.instance.idle'?)
Fix: Check the exact spelling. Rule IDs must match exactly — use the suggestion in the error message or see docs/rules.md for the full list.
Top-level config sections: version, scan, defaults, tag_filtering, rules, exceptions, categories, thresholds.
Error in cleancloud.yaml: scan.regions string value must be 'auto'. For a specific region use a list: regions: [us-east-1]
Cause: A bare region string like regions: us-east-1 is ambiguous (is it a region name or a config token?).
Fix:
# scan all active regions
scan:
regions: auto
# pin to one region — use a list
scan:
regions: [us-east-1]
# pin to multiple regions — not yet supported; use auto
scan:
regions: autoCheck 1 — rule_id and resource_id must match exactly:
exceptions:
- rule_id: aws.rds.instance.idle # must be exact rule ID
resource_id: db-prod-reporting # exact resource name, or glob like "db-prod-*"Check 2 — run with --explain to see which filter suppressed (or didn't suppress) each finding:
cleancloud scan --provider aws --all-regions --explainCheck 3 — glob syntax: * matches any sequence of characters, ? matches one. Use quotes in YAML:
resource_id: "db-test-*"Check 4 — account/region scope: If account_id or region is set on the exception, it only matches resources in that account/region. Remove or adjust if you want a broader match.
Check 5 — expired exception: If expires_at is set and the date has passed, the exception is skipped with a warning. Check stderr output.
Exit code 2 means a threshold was breached — check thresholds in your config or --fail-on-* flags.
Check what threshold fired:
cleancloud scan --provider aws --all-regions --explain 2>&1 | tail -20Common causes:
| Symptom | Fix |
|---|---|
fail_on_confidence: HIGH and there are HIGH findings |
Suppress the finding (exception, tag, min_cost) or raise the threshold |
fail_on_cost: 500 and total waste > $500 |
Suppress expensive findings or raise the threshold |
fail_on_findings: true and there are any findings |
Switch to fail_on_confidence or fail_on_cost for less noise |
Note: override_risk_level does NOT affect fail_on_confidence. Thresholds evaluate signal strength (confidence), not the display risk label.
✗ AWS credentials not found
AWS:
# Check which profile/credentials are active
aws sts get-caller-identity
# If using a named profile
cleancloud doctor --provider aws --profile my-profile
cleancloud scan --provider aws --all-regions --profile my-profileAzure:
# Interactive login (for local use)
az login
# Check active account
az account showGCP:
# Application Default Credentials (ADC) — standard for local + CI
gcloud auth application-default login
# Check active credentials
gcloud auth listFor CI/CD, use service accounts / OIDC instead of interactive login. See CI/CD guide →.
Check 1 — are findings suppressed by min_cost?
Default cleancloud.yaml sets defaults.min_cost: 5. Resources below $5/month are suppressed. Lower or remove it:
defaults:
min_cost: 0 # show all findings regardless of costCheck 2 — are findings suppressed by confidence?
Default sets defaults.confidence: MEDIUM. LOW confidence findings are hidden. Lower it to see them:
defaults:
confidence: LOWCheck 3 — are findings suppressed by tag filtering?
tag_filtering:
enabled: false # temporarily disable to testCheck 4 — are you scanning the right regions?
cleancloud scan --provider aws --all-regions # not just --region us-east-1Check 5 — is the rule disabled?
rules:
aws.rds.instance.idle:
enabled: false # is this set?AWS:
- Region detection runs in parallel.
--all-regionsis usually fast; if slow, pin to active regions. - Multi-account scans: increase concurrency with
--concurrency 10(default: 5).
Azure / GCP:
- Subscriptions/projects are scanned in parallel. Slow scans usually mean a permission error on one resource type causing a timeout — check stderr for warnings.
Large output:
- Use
--output json --output-file findings.jsonto write directly to a file instead of stdout.
- Run
cleancloud doctor --provider <aws|azure|gcp>— it diagnoses credentials, permissions, and config in one command. - Open an issue: github.com/cleancloud-io/cleancloud/issues
- Email: suresh@getcleancloud.com