-
Bug
-
Resolution: Done-Errata
-
Undefined
-
4.14.0
-
No
-
False
-
Description of problem:
CredentialsRequest for Azure AD Workload Identity missing disk encryption set read permissions. - Microsoft.Compute/diskEncryptionSets/read
Version-Release number of selected component (if applicable):
4.14.0
How reproducible:
Every time when creating a machine with a disk encryption set
Steps to Reproduce:
1. Create workload identity cluster 2. Create keyvault and secret within keyvault 3. Create disk encryption set and point it to keyvault; can use system-assigned identity 4. Create or modify existing machineset to include a disk encryption set. managedDisk: diskEncryptionSet: id: /subscriptions/<subscription_id>/resourceGroups/<resource_id>/providers/Microsoft.Compute/diskEncryptionSets/<disk_encryption_set_name> 5. Scale machineset
Actual results:
'failed to create vm <vm_name>: failure sending request for machine steven-wi-cluster-pzqvm-worker-eastus3-mfk5z: cannot create vm: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client ''55c10ba9-f891-4f42-a697-0ab283b86c63'' with object id ''55c10ba9-f891-4f42-a697-0ab283b86c63'' has permission to perform action ''Microsoft.Compute/virtualMachines/write'' on scope ''/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Compute/virtualMachines/steven-wi-cluster-pzqvm-worker-eastus3-mfk5z''; however, it does not have permission to perform action ''read'' on the linked scope(s) ''/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Compute/diskEncryptionSets/test-disk-encryption-set'' or the linked scope(s) are invalid."'
Expected results:
The machine is able to create and join the cluster successfully.
Additional info:
Docs about preparing disk encryption sets on Azure: https://docs.openshift.com/container-platform/4.12/installing/installing_azure/enabling-user-managed-encryption-azure.html
- is related to
-
OCPCLOUD-2014 Update Azure Credentials Request manifest of the Machine API Operator to use new API field for requesting permissions
- Closed
- links to
-
RHEA-2023:5006 rpm