Website: Vanta Integration Failures (4XX/5XX) Communicating with Fleet Environment

[BCTBB]

Fleet version: Unknown

Web browser and operating system: Unknown

---

💥  Actual behavior

We're seeing help-p1 alerts being triggered on failures for requests on /api/v1/create-vanta-authorization-request, all from the same source ip. At the time of this filing, we've seen 13 failures, with more or less the same alerts.

at=info method=POST path="/api/v1/create-vanta-authorization-request" host=fleetdm.com request_id=<redacted> fwd="<redacted>" dyno=web.3 connect=0ms service=313ms status=500 bytes=21 protocol=http2.0 tls=true tls_version=tls1.3

The issue appears to stem from restrictions on an AWS loadbalancer that are blocking access to the Fleet environment /me endpoint. I do not see any additional logs to tie the failures back to a particular environment.

error: Sending 500 ("Server Error") response:
 Error: When sending a request to a Fleet instance's /me endpoint to verify that a token meets the requirements for a Vanta connection, an error occurred: Exception: `get` failed ("non200Response").  A non-2xx status code was returned from the server.
Server response:
{
  statusCode: 403,
  headers: {
    server: 'awselb/2.0',
    date: 'Thu, 05 Feb 2026 14:09:24 GMT',
    'content-type': 'text/html',
    'content-length': '118',
    connection: 'keep-alive'
  },
  body: '<html>\r\n' +
    '<head><title>403 Forbidden</title></head>\r\n' +
    '<body>\r\n' +
    '<center><h1>403 Forbidden</h1></center>\r\n' +
    '</body>\r\n' +
    '</html>\r\n'
}
    at Object.handler (/app/api/controllers/create-vanta-authorization-request.js:111:14)
    at /app/node_modules/parley/lib/private/Deferred.js:949:50
    at proceedToInterceptsAndChecks (/app/node_modules/parley/lib/private/Deferred.js:963:7)
    at proceedToAfterExecSpinlocks (/app/node_modules/parley/lib/private/Deferred.js:845:10)
    at /app/node_modules/parley/lib/private/Deferred.js:303:7
    at /app/node_modules/machine/lib/private/help-build-machine.js:952:35
    at handlerCbs.<computed> [as non200Response] (/app/node_modules/machine/lib/private/help-build-machine.js:945:28)
    at Object.non200Response (/app/node_modules/machinepack-http/lib/get.js:62:59)
    at /app/node_modules/machine/lib/private/help-build-machine.js:1509:52
    at proceedToFinalAfterExecLC (/app/node_modules/parley/lib/private/Deferred.js:1153:14)
    at proceedToInterceptsAndChecks (/app/node_modules/parley/lib/private/Deferred.js:913:12)
    at proceedToAfterExecSpinlocks (/app/node_modules/parley/lib/private/Deferred.js:845:10)
    at /app/node_modules/parley/lib/private/Deferred.js:303:7
    at /app/node_modules/machine/lib/private/help-build-machine.js:952:35
    at handlerCbs.<computed> [as non200Response] (/app/node_modules/machine/lib/private/help-build-machine.js:945:28)
    at Request._callback (/app/node_modules/machinepack-http/lib/send-http-request.js:260:22)
<- POST /api/v1/create-vanta-authorization-request  (310ms 500)
 |  error
 °

🛠️ To fix

Due to the nature of this issue, I don't think there's much that we can do to prevent the failure from happening, since access to the /me endpoint is being blocked. However, for the future and if possible, it would be helpful to have additional details in the logs like an FQDN or other information that can be used to identify the Fleet system/customer.

🧑‍💻  Steps to reproduce

I have not reproduced the issue. However, from what we know, it might be possible to reproduce this issue by restricting access to /me and attempting to setup the Fleet <-> Vanta integration.

These steps:

• Have been confirmed to consistently lead to reproduction in multiple Fleet instances.
• Describe the workflow that led to the error, but have not yet been reproduced in multiple Fleet instances.

1. TODO
2. TODO

🕯️ More info (optional)

• help-p1 alert
• help-p1 alert
• help-p1 alert
• help-p1 alert
• help-p1 alert
• help-p1 alert
• help-p1 alert
• help-p1 alert

[github-actions]

This issue has been automatically tagged as unreleased. If this is is incorrect, you may replace the label with ~released-bug. If this is correct, or might be correct, move this bug onto the appropriate product board to get a fix underway.

[eashaw]

I updated the create-vanta-authorization-request action to return a new exit when a Fleet instance returns a 403 response, and I updated the logged error to include more information about the form submission (Fleet instance URL and contact email address), so we can reach out to the affected user if they encounter a 500 error.