Loading...

XML

Word

Printable

Type: Sub-task
Resolution: Unresolved
Priority: Critical
Fix Version/s: ACM 2.16.0
Affects Version/s: None
Component/s: Console, Container Native Virtualization
Labels:
None

Activity Type:
Quality / Stability / Reliability
Story Points:
2
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Acceptance Criteria:
Hide

Azure portal account can manage NSGs, public IPs, LB rules, and storage accounts in the target resource group

Service principal auth file created for subctl cloud prepare azure

OCP installer SP verified for custom CIDRs and D8s_v3 instance types

Credentials stored securely (not committed to git)
Show
Azure portal account can manage NSGs, public IPs, LB rules, and storage accounts in the target resource group Service principal auth file created for subctl cloud prepare azure OCP installer SP verified for custom CIDRs and D8s_v3 instance types Credentials stored securely (not committed to git)
Intelligence Requested:
Market:

Sprint:
ACM Console Train 37 - 1
Severity:
Important

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Goal

Configure the required Azure portal permissions and service principals so that all subsequent CCLM infrastructure work (cluster deployment, Submariner networking, RWX storage) can proceed without access blockers.

This sub-task should be completed before ACM-30198 (deploy clusters).

Background

This permission gap was first identified on Dec 18, 2025 (see parent story comment and Slack thread).

Current state: The Azure subscription available when logging into portal.azure.com is limited and does not provide access to configure network or storage resources needed for CCLM.

Subscription ID: 53b8f551-f0fc-4bea-8cba-6d1fefd54c8a
Directory: OpenShift Dev (jamesrussell1911gmail.onmicrosoft.com)
Parent management group: openshift-qe
Status: Active

Clusters in this subscription were created via the ocp_deploy_and_acm_install Jenkins pipeline.

Scope

1. Azure portal permissions for the user account

Ensure the Azure AD account used for portal/CLI access has the right role assignments on the target resource group(s):

Contributor (or at minimum: Network Contributor + Storage Account Contributor)
Needed for: NSG creation/modification, public IP assignment, Load Balancer NAT rules, Azure Files storage account creation

Verify access by confirming you can:

Create/modify NSG inbound rules
Assign public IPs to NICs
Create storage accounts with NFS-enabled Azure Files
Create/modify Load Balancer inbound NAT rules

2. Service principal for subctl cloud prepare azure

subctl cloud prepare azure requires an Azure auth file with a service principal that has permissions to:

Create VMs (gateway MachineSet)
Create and assign public IPs
Create NSGs with custom inbound rules

Create or obtain a SP with sufficient permissions and generate the auth file:

{
  "subscriptionId": "<sub-id>",
  "tenantId": "<tenant-id>",
  "clientId": "<sp-app-id>",
  "clientSecret": "<sp-secret>"
}

3. Verify OCP installer SP permissions

Confirm the service principal used by the OCP installer can:

Deploy clusters with custom CIDRs (non-default clusterNetwork, serviceNetwork, machineNetwork)
Deploy D8s_v3 (or larger) worker instance types
If the current SP lacks these permissions, request an upgrade or a new SP

Acceptance Criteria

[ ] Azure portal account can manage NSGs, public IPs, LB rules, and storage accounts in the target resource group
[ ] Service principal auth file created for subctl cloud prepare azure
[ ] OCP installer SP verified for custom CIDRs and D8s_v3 instance types
[ ] Credentials stored securely (not committed to git)

Assignee:: Atif Shafi

Reporter:: Atif Shafi

QA Contact:: Atif Shafi

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2026/02/17 5:48 AM

Updated:: 2026/02/17 6:13 AM

Details

Description

Goal

Background

Scope

Acceptance Criteria

Attachments

Easy Agile Planning Poker

Activity

People

Dates