diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md
index 2038642..4714943 100644
--- a/docs/TROUBLESHOOTING.md
+++ b/docs/TROUBLESHOOTING.md
@@ -56,6 +56,28 @@ some common sources of errors:
     Account on an attribute unless you map that value from the incoming GitHub
     OIDC token.
 
+1.  Check the specific error message that is returned.
+
+    -   If the error message includes "failed to generate Google Cloud federated
+        token", it means admission into the Workload Identity Pool failed. Check
+        your [**Attribute Conditions**][attribute-conditions].
+
+    -   If the error message inclues "failed to generate Google Cloud access
+        token", it means Service Account Impersonation failed. Check your
+        [**Service Account Impersonation**][sa-impersonation] settings and
+        ensure the principalSet is correct.
+
+1.  Enable `Admin Read`, `Data Read`, and `Data Write` [Audit Logging][cal] for
+    Identity and Access Management (IAM) in your Google Cloud project.
+
+    **Warning!** This will increase log volume which may increase costs. To keep
+    costs low, you can disable this audit logging after you have debugged the
+    issue.
+
+    Try to authenticate again, and then explore the logs for your Workload
+    Identity Provider and Workload Identity Pool. Sometimes these error messages
+    are helpful in hinting at the root problem.
+
 1.  Ensure you have waited at least 5 minutes between making changes to the
     Workload Identity Pool and Workload Identity Provider. Changes to these
     resources are eventually consistent.
@@ -124,6 +146,9 @@ ways to fix this issue:
     5. Push
     ```
 
+[attribute-conditions]: https://cloud.google.com/iam/docs/workload-identity-federation#conditions
+[sa-impersonation]: https://cloud.google.com/iam/docs/workload-identity-federation#impersonation
 [debug-logs]: https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging
 [iam-feedback]: https://cloud.google.com/iam/docs/getting-support
 [wif-byte-limit]: https://cloud.google.com/iam/docs/configuring-workload-identity-federation
+[cal]: https://cloud.google.com/logging/docs/audit/configure-data-access