Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-17919

Azure MAO CredentialRequests Missing Compute Permissions

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      CredentialsRequest for Azure AD Workload Identity missing disk encryption set read permissions.
      
      - Microsoft.Compute/diskEncryptionSets/read
      

      Version-Release number of selected component (if applicable):

      4.14.0
      

      How reproducible:

      Every time when creating a machine with a disk encryption set
      

      Steps to Reproduce:

      1. Create workload identity cluster
      2. Create keyvault and secret within keyvault
      3. Create disk encryption set and point it to keyvault; can use system-assigned identity 
      4. Create or modify existing machineset to include a disk encryption set.  
                  managedDisk:
                    diskEncryptionSet:
                      id: /subscriptions/<subscription_id>/resourceGroups/<resource_id>/providers/Microsoft.Compute/diskEncryptionSets/<disk_encryption_set_name>
      5. Scale machineset 
      

      Actual results:

      'failed to create vm <vm_name>:
              failure sending request for machine steven-wi-cluster-pzqvm-worker-eastus3-mfk5z:
              cannot create vm: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending
              request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed"
              Message="The client ''55c10ba9-f891-4f42-a697-0ab283b86c63'' with object id
              ''55c10ba9-f891-4f42-a697-0ab283b86c63'' has permission to perform action
              ''Microsoft.Compute/virtualMachines/write'' on scope ''/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Compute/virtualMachines/steven-wi-cluster-pzqvm-worker-eastus3-mfk5z'';
              however, it does not have permission to perform action ''read'' on the linked
              scope(s) ''/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Compute/diskEncryptionSets/test-disk-encryption-set''
              or the linked scope(s) are invalid."'
      

      Expected results:

      The machine is able to create and join the cluster successfully.
      

      Additional info:

      Docs about preparing disk encryption sets on Azure: https://docs.openshift.com/container-platform/4.12/installing/installing_azure/enabling-user-managed-encryption-azure.html 
      

              bvesel@redhat.com Benjamin Vesel
              bvesel@redhat.com Benjamin Vesel
              Huali Liu Huali Liu
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: