Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.15, 4.16, 4.17, 4.18, 4.19
Component/s: Documentation / Installer
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Impact doc: https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/installing_on_azure/index#preparing-disk-encryption-sets_installing-azure-preparing-ipi

Based on Azure doc[1], starting from az Cli 2.61.0, default --enable-rbac-authorization to true when creating keyvault.

This default changes will break current procedures in impacted doc if using higher az Cli version than 2.61.0

1. User could not continue to create keyvault key and got below error:
=========
(Forbidden) Caller is not authorized to perform action on resource.
If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.
Caller: appid=<sp_id>;oid=040de9bb-8ff3-47da-9006-a38b728e0bad;iss=https://sts.windows.net/<tenant id>/
Action: 'Microsoft.KeyVault/vaults/keys/create/action'
Resource: '/subscriptions/<subscription_id>/resourcegroups/jima-des-rg/providers/microsoft.keyvault/vaults/jima-kv-2/keys/jima-kv-key-2'
Assignment: (not found)
DenyAssignmentId: null
DecisionReason: null 
Vault: jima-kv-2;location=eastus
Code: Forbidden
Message: Caller is not authorized to perform action on resource.
If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.
Caller: appid=<sp id>;oid=040de9bb-8ff3-47da-9006-a38b728e0bad;iss=https://sts.windows.net/<tenant id>/
Action: 'Microsoft.KeyVault/vaults/keys/create/action'
Resource: '/subscriptions/<subscription_id>/jima-des-rg/providers/microsoft.keyvault/vaults/jima-kv-2/keys/jima-kv-key-2'
Assignment: (not found)
DenyAssignmentId: null
DecisionReason: null 
Vault: jima-kv-2;location=eastusInner error: {
    "code": "ForbiddenByRbac"
}

2. User could not set-policy in step 11, otherwise will encounter a conflict. It is not allowed to use both Access policies and RBAC simultaneously

So suggest disabling --enable-rbac-authorization when creating keyvault.

az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION \                                   
    --enable-purge-protection true --enable-rbac-authorization false


[1] https://learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli?view=azure-cli-latest#may-21-2024

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

    1.
    2.
    3.

Actual results:

Expected results:

Additional info:

Assignee:: OCP DocsBot

Reporter:: Jinyun Ma

Need Info From:: None

Contributors:: None

QA Contact:: Jinyun Ma

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/06/11 8:56 AM

Updated:: 2025/07/12 1:17 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide