Troubleshooting
Common issues and how to resolve them.
Sign-in problems
"Authentication failed" on sign-in
- Make sure you're using the email registered on your team's Escher account
- Check your network — sign-in requires HTTPS access to Tessell's auth service
- If your team uses SSO, confirm with your admin that you're provisioned in the IdP
"Token expired" mid-session
Click Refresh sign-in in the top-right. If it persists, sign out and back in.
Cloud connection problems
AWS profile shows "Invalid credentials"
aws sts get-caller-identity --profile YOUR_PROFILEIf this fails outside of Escher, the issue is with your AWS CLI config, not Escher.
If you're using AWS SSO:
aws sso login --profile YOUR_PROFILEAWS profile shows "Insufficient permissions"
Escher requires read-only permissions on the services it scans. Either:
- Attach the AWS-managed
ReadOnlyAccesspolicy, or - Use the minimal policy from Connect AWS
Azure connection fails with "Insufficient privileges"
Check role assignments:
az role assignment list --assignee YOUR_EMAIL --subscription YOUR_SUB_IDEnsure at minimum the Reader role is assigned at the subscription scope. For deeper analysis, add Security Reader.
GCP connection fails with "Permission denied"
Make sure both gcloud auth login and gcloud auth application-default login have been run. Confirm the principal has both roles/viewer and roles/iam.securityReviewer.
Estate scan problems
Estate scan returns 0 resources
- Verify the profile is enabled and Test Access passes
- Confirm the regions you expect resources in are enabled for the profile (Settings → Profiles)
- Check the cloud's own console — confirm resources actually exist in the connected accounts
Estate scan stuck for a long time
Most scans complete in 3–8 minutes. If a scan is running longer than 30 minutes, it's usually:
- A very large account (>10,000 resources) — let it complete
- A throttled API — Escher retries automatically; this resolves on its own
- A network blip — cancel and re-run
Cost data missing from Canvases
For AWS, ensure Cost Explorer is enabled in the AWS Billing console (one-time setup, ~24h activation lag). For Azure, confirm Cost Management Reader is assigned. For GCP, confirm roles/billing.viewer on the billing account.
Question and Canvas problems
"Escher couldn't find data to answer this"
This usually means:
- The estate scan hasn't completed yet — check Estate Overview
- The relevant cloud isn't connected (e.g. asking about Azure when only AWS is connected)
- The question is outside the scope of what Escher knows about (see Asking Questions)
Canvas takes longer than expected
Most Canvases generate in 2–8 minutes. If a Canvas is running slow:
- The first time you ask a complex cross-cloud question, Escher may need to refresh part of the estate — this is one-off
- Heavy compliance questions (full SOC 2 audit) can take 8–10 minutes
Citations point to deleted resources
If you ask about historical data, Escher may cite resources that have since been deleted. The historical evidence (CloudTrail event, billing line) is still valid — the live console link will 404. This is expected.
App problems
Escher won't launch on macOS
If macOS shows "App is damaged" or won't open:
xattr -cr /Applications/Escher.appThen re-launch from Applications.
"Cannot connect to keychain" error
Open Keychain Access, search for escher, and delete any locked or corrupted entry. Re-launch the app and sign in again.
App crashes on launch
Check Console.app → Reports for the crash log. If it persists, contact support with the crash log attached.
Getting more help
| Channel | When to use |
|---|---|
| Slack Connect (Design Partners) | Fastest response — for production issues |
| support@tessell.com | General questions, access requests |
| GitHub Issues | Bug reports with reproduction steps |