-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.14.0, 4.15.0
-
No
-
Rejected
-
False
-
-
-
Bug Fix
This is a clone of issue OCPBUGS-22369. The following is the description of the original issue:
—
Description of problem:
Default security settings for new Azure Storage accounts be updated. Using ccoctl to create Azure Workload Identity resources in region eastus is not work. I found several commonly used regions and did the test. The test results are as follows. List of regions not working properly: eastus $ az storage account list -g mihuangtt0947-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsv mihuangtt0947rgoidc False List of regions working properly: westus, australiacentral, australiaeast, centralus, australiasoutheast, southindia… $ az storage account list -g mihuangdispri0929-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsv mihuangdispri0929rgoidc True
Version-Release number of selected component (if applicable):
4.14/4.15
How reproducible:
Always
Steps to Reproduce:
1.Running ccoctl azure create-all command to create azure workload identity resources in region eastus. [huangmingxia@fedora CCO-bugs]$ ./ccoctl azure create-all --name 'mihuangp1' --region 'eastus' --subscription-id {SUBSCRIPTION-ID} --tenant-id {TENANNT-ID} --credentials-requests-dir=./credrequests --dnszone-resource-group-name 'os4-common' --storage-account-name='mihuangp1oidc' --output-dir test
Actual results:
[huangmingxia@fedora CCO-bugs]$ ./ccoctl azure create-all --name 'mihuangp1' --region 'eastus' --subscription-id {SUBSCRIPTION-ID} --tenant-id {TENANNT-ID} --credentials-requests-dir=./credrequests --dnszone-resource-group-name 'os4-common' --storage-account-name='mihuangp1oidc' --output-dir test 2023/10/25 11:14:36 Using existing RSA keypair found at test/serviceaccount-signer.private 2023/10/25 11:14:36 Copying signing key for use by installer 2023/10/25 11:14:36 No --oidc-resource-group-name provided, defaulting OIDC resource group name to mihuangp1-oidc 2023/10/25 11:14:36 No --installation-resource-group-name provided, defaulting installation resource group name to mihuangp1 2023/10/25 11:14:36 No --blob-container-name provided, defaulting blob container name to mihuangp1 2023/10/25 11:14:39 Created resource group /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuangp1-oidc 2023/10/25 11:15:01 Created storage account /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuangp1-oidc/providers/Microsoft.Storage/storageAccounts/mihuangp1oidc 2023/10/25 11:15:03 failed to create blob container: PUT https://management.azure.com/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuangp1-oidc/providers/Microsoft.Storage/storageAccounts/mihuangp1oidc/blobServices/default/containers/mihuangp1--------------------------------------------------------------------------------RESPONSE 409: 409 ConflictERROR CODE: PublicAccessNotPermitted--------------------------------------------------------------------------------{ "error": { "code": "PublicAccessNotPermitted", "message": "Public access is not permitted on this storage account.\nRequestId:415c51f1-c01e-0017-7ef1-06ec0c000000\nTime: 2023-10-25T03:15:02.7928767Z" }}-------------------------------------------------------------------------------- $ az storage account list -g mihuangtt0947-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsvmihuangtt0947rgoidc False
Expected results:
Resources created successfully. $ az storage account list -g mihuangtt0947-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsv mihuangtt0947rgoidc True
Additional info:
Google email: Important notice: Default security settings for new Azure Storage accounts will be updated
- clones
-
OCPBUGS-22369 Ccoctl create Azure Workload Identity resource does not work properly in eastus region because the storage account does not allow Public access.
- Closed
- is blocked by
-
OCPBUGS-22369 Ccoctl create Azure Workload Identity resource does not work properly in eastus region because the storage account does not allow Public access.
- Closed
- links to
-
RHBA-2023:6837 OpenShift Container Platform 4.14.z bug fix update