Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.19, 4.20, 4.21
Component/s: Cloud Credential Operator
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.19.z
Release Blocker:
Rejected
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
In Progress
Release Note Type:
Release Note Not Required
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue OCPBUGS-65798. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-63714. The following is the description of the original issue:
—
Description of problem:

After the initial ccoctl azure create-xxx creation, if the ccoctl command is re-run , it may fail with the following error:

  2025/10/29 10:09:23 error ensuring custom role: PUT https://management.azure.com/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/e3ee312d-8a9c-4bad-b315-8071b46cbbb0 -------------------------------------------------------------------------------- RESPONSE 409: 409 Conflict ERROR CODE: RoleDefinitionWithSameNameExists -------------------------------------------------------------------------------- {   "error": {     "code": "RoleDefinitionWithSameNameExists",     "message": "A custom role with the same name already exists in this directory. Use a different name."   } } --------------------------------------------------------------------------------

Version-Release number of selected component (if applicable):

4.21

How reproducible:

Always

Steps to Reproduce:

Step 1: Generate RSA keypair
Step 2: Create OIDC issuer 
Step 3: Create managed identities
Step 4: Re-run create-managed-identities
Step 5: Waiting 3 minutes to allow Azure role definition replication...
Step 4 (Retry): Re-run create-managed-identities after waiting
SUCCESS! After waiting 3 minutes for Azure replication, all custom roles were found and updated.

Actual results:

    Step 4 failed

Expected results:

    Step 4 successfully.

Additional info:

## Step 1: Generate RSA keypair$ ./ccoctl azure create-key-pair --output-dir ./round4/case5/output
2025/10/29 13:06:07 Generating RSA keypair
2025/10/29 13:06:11 Writing private key to round4/case5/output/serviceaccount-signer.private
2025/10/29 13:06:11 Writing public key to round4/case5/output/serviceaccount-signer.public
2025/10/29 13:06:11 Copying signing key for use by installer
## Step 2: Create OIDC issuer$ ./ccoctl azure create-oidc-issuer --name mihuangr4case5 --region eastus --subscription-id xxx --tenant-id xxx --public-key-file ./round4/case5/output/serviceaccount-signer.public --output-dir ./round4/case5/output
2025/10/29 13:06:31 No --oidc-resource-group-name provided, defaulting OIDC resource group name to mihuangr4case5-oidc
2025/10/29 13:06:31 No --storage-account-name provided, defaulting storage account name to mihuangr4case5
2025/10/29 13:06:31 No --blob-container-name provided, defaulting blob container name to mihuangr4case5
2025/10/29 13:06:33 Created resource group /subscriptions/xxx/resourceGroups/mihuangr4case5-oidc
2025/10/29 13:06:53 Created storage account /subscriptions/xxx/resourceGroups/mihuangr4case5-oidc/providers/Microsoft.Storage/storageAccounts/mihuangr4case5
2025/10/29 13:06:55 Created blob container /subscriptions/xxx/resourceGroups/mihuangr4case5-oidc/providers/Microsoft.Storage/storageAccounts/mihuangr4case5/blobServices/default/containers/mihuangr4case5
2025/10/29 13:06:55 Saved OIDC discovery document at path /home/cloud-user/CCO-714/round4/case5/output/openid-configuration
2025/10/29 13:06:55 Reading public key
2025/10/29 13:06:55 Saved JSON web key set at path /home/cloud-user/CCO-714/round4/case5/output/jwks
2025/10/29 13:06:55 Uploaded OIDC discovery document https://mihuangr4case5.blob.core.windows.net/mihuangr4case5/.well-known/openid-configuration
2025/10/29 13:06:55 Uploaded JSON web key set https://mihuangr4case5.blob.core.windows.net/mihuangr4case5/openid/v1/jwks
2025/10/29 13:06:55 Wrote cluster authentication manifest at path round4/case5/output/manifests/cluster-authentication-02-config.yaml2025/10/29 13:06:55 Issuer URL (serviceAccountIssuer) is https://mihuangr4case5.blob.core.windows.net/mihuangr4case52025/10/29 13:06:55 Saved Azure AD pod identity webhook configuration to: round4/case5/output/manifests/azure-ad-pod-identity-webhook-config.yaml
## Step 3: Create multiple managed identities from multiple CredentialsRequestsUsing all CredentialsRequests from ./round2/credrequests directory to create multiple identities.$ ./ccoctl azure create-managed-identities --name mihuangr4case5 --credentials-requests-dir ./round2/credrequests --region eastus --subscription-id xxx --installation-resource-group-name mihuangr4case5-install-rg --issuer-url https://mihuangr4case5.blob.core.windows.net/mihuangr4case5 --oidc-resource-group-name mihuangr4case5-oidc --output-dir ./round4/case5/output2025/10/29 13:07:26 Created resource group /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:07:26 Cluster installation resource group name is mihuangr4case5-install-rg. This resource group MUST be configured as the resource group used for cluster installation.2025/10/29 13:07:26 Ignoring CredentialsRequest openshift-cloud-credential-operator/openshift-cluster-api-azure with tech-preview annotation2025/10/29 13:07:28 Created user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials2025/10/29 13:07:30 Created customRole mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/d81dc28b-3ac6-43e7-b1e9-02453ea4103a2025/10/29 13:07:32 Unable to assign role to user-assigned managed identity, retrying...2025/10/29 13:07:45 Created role assignment for role mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials with user-assigned managed identity principal ID c0e7c7dc-030b-4310-aa3a-e7496639987c at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:07:46 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials/federatedIdentityCredentials/cloud-controller-manager2025/10/29 13:07:46 Saved credentials configuration to: round4/case5/output/manifests/openshift-cloud-controller-manager-azure-cloud-credentials-credentials.yaml2025/10/29 13:07:47 Created user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-machine-api-azure-cloud-credentials2025/10/29 13:07:50 Created customRole mihuangr4case5-openshift-machine-api-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/6ad47bad-d52d-4de3-a30f-8732c73ddfa12025/10/29 13:07:53 Created role assignment for role mihuangr4case5-openshift-machine-api-azure-cloud-credentials with user-assigned managed identity principal ID efaa6767-93dc-4981-be81-05153282e1e5 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:07:54 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-machine-api-azure-cloud-credentials/federatedIdentityCredentials/machine-api-controllers2025/10/29 13:07:54 Saved credentials configuration to: round4/case5/output/manifests/openshift-machine-api-azure-cloud-credentials-credentials.yaml2025/10/29 13:07:55 Created user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-image-registry-installer-cloud-credentials2025/10/29 13:07:58 Created customRole mihuangr4case5-openshift-image-registry-installer-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/c3370431-b38b-4119-ae6a-3da6a89f29212025/10/29 13:07:59 Unable to assign role to user-assigned managed identity, retrying...2025/10/29 13:08:11 Created role assignment for role mihuangr4case5-openshift-image-registry-installer-cloud-credentials with user-assigned managed identity principal ID f3e52b9c-1426-4647-86bb-0fcbf0a28323 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:08:11 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-image-registry-installer-cloud-credentials/federatedIdentityCredentials/cluster-image-registry-operator2025/10/29 13:08:12 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-image-registry-installer-cloud-credentials/federatedIdentityCredentials/registry2025/10/29 13:08:12 Saved credentials configuration to: round4/case5/output/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml2025/10/29 13:08:13 Created user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-ingress-operator-cloud-credentials2025/10/29 13:08:15 Created customRole mihuangr4case5-openshift-ingress-operator-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/0fb9647a-9372-4a26-b224-7514e0de0e7c2025/10/29 13:08:16 Failed to get role definition. This is likely due to a replication delay. Retrying...2025/10/29 13:08:28 Created role assignment for role mihuangr4case5-openshift-ingress-operator-cloud-credentials with user-assigned managed identity principal ID 7aa93b6d-efee-4d56-ad89-9fcdb5811d1d at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:08:29 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-ingress-operator-cloud-credentials/federatedIdentityCredentials/ingress-operator2025/10/29 13:08:29 Saved credentials configuration to: round4/case5/output/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml2025/10/29 13:08:30 Created user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-network-config-controller-cloud-credentials2025/10/29 13:08:32 Created customRole mihuangr4case5-openshift-cloud-network-config-controller-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/46841770-fa2a-4960-b8c0-31d2ddb611052025/10/29 13:08:33 Unable to assign role to user-assigned managed identity, retrying...2025/10/29 13:08:45 Created role assignment for role mihuangr4case5-openshift-cloud-network-config-controller-cloud-credentials with user-assigned managed identity principal ID b4406f4f-f426-4ef9-8202-ccd71d24fbd3 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:08:45 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-network-config-controller-cloud-credentials/federatedIdentityCredentials/cloud-network-config-controller2025/10/29 13:08:45 Saved credentials configuration to: round4/case5/output/manifests/openshift-cloud-network-config-controller-cloud-credentials-credentials.yaml2025/10/29 13:08:47 Created user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials2025/10/29 13:08:49 Created customRole mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/106fa42e-a425-4c75-93e1-73f8e2f886732025/10/29 13:08:52 Created role assignment for role mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials with user-assigned managed identity principal ID 6cc2c54e-ad67-4f0f-ab3b-0a5dffefc563 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:08:52 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials/federatedIdentityCredentials/azure-disk-csi-driver-operator2025/10/29 13:08:53 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials/federatedIdentityCredentials/azure-disk-csi-driver-controller-sa2025/10/29 13:08:54 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials/federatedIdentityCredentials/azure-disk-csi-driver-node-sa2025/10/29 13:08:54 Saved credentials configuration to: round4/case5/output/manifests/openshift-cluster-csi-drivers-azure-disk-credentials-credentials.yaml2025/10/29 13:08:56 Created user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials2025/10/29 13:09:00 Created customRole mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/bb6b37ac-2116-484e-8254-11d9fe4aba572025/10/29 13:09:01 Unable to assign role to user-assigned managed identity, retrying...2025/10/29 13:09:12 Created role assignment for role mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials with user-assigned managed identity principal ID 5f81c59c-b60d-4b75-8d06-17b9bf484754 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:09:13 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials/federatedIdentityCredentials/azure-file-csi-driver-operator2025/10/29 13:09:14 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials/federatedIdentityCredentials/azure-file-csi-driver-controller-sa2025/10/29 13:09:14 Created federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials/federatedIdentityCredentials/azure-file-csi-driver-node-sa2025/10/29 13:09:14 Saved credentials configuration to: round4/case5/output/manifests/openshift-cluster-csi-drivers-azure-file-credentials-credentials.yaml
## Step 4: Add manual extra roles to different identities (Resource Group level only)Identity 1: mihuangr4case5-openshift-image-registry-installer-cloud-credentials$ PRINCIPAL_ID_1=$(az identity show --name mihuangr4case5-openshift-image-registry-installer-cloud-credentials --resource-group mihuangr4case5-oidc --query principalId -o tsv)PRINCIPAL_ID_1: f3e52b9c-1426-4647-86bb-0fcbf0a28323Adding Storage Blob Data Reader to oidc resource group...$ az role assignment create --assignee f3e52b9c-1426-4647-86bb-0fcbf0a28323 --role "Storage Blob Data Reader" --scope "/subscriptions/xxx/resourceGroups/mihuangr4case5-oidc"{"canDelegate": null,"condition": null,"conditionVersion": null,"description": null,"id": "/subscriptions/xxx/resourceGroups/mihuangr4case5-oidc/providers/Microsoft.Authorization/roleAssignments/e6276e3d-88cb-4d91-aa17-fcd2f40fec74","name": "e6276e3d-88cb-4d91-aa17-fcd2f40fec74","principalId": "f3e52b9c-1426-4647-86bb-0fcbf0a28323","principalType": "ServicePrincipal","resourceGroup": "mihuangr4case5-oidc","roleDefinitionId": "/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1","scope": "/subscriptions/xxx/resourceGroups/mihuangr4case5-oidc","type": "Microsoft.Authorization/roleAssignments"}Identity 2: mihuangr4case5-openshift-ingress-operator-cloud-credentials$ PRINCIPAL_ID_2=$(az identity show --name mihuangr4case5-openshift-ingress-operator-cloud-credentials --resource-group mihuangr4case5-oidc --query principalId -o tsv)PRINCIPAL_ID_2: 7aa93b6d-efee-4d56-ad89-9fcdb5811d1dAdding Reader to install resource group...$ az role assignment create --assignee 7aa93b6d-efee-4d56-ad89-9fcdb5811d1d --role "Reader" --scope "/subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg"{"canDelegate": null,"condition": null,"conditionVersion": null,"description": null,"id": "/subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg/providers/Microsoft.Authorization/roleAssignments/60f86913-12a7-41d3-9c32-f7fbde89b2f0","name": "60f86913-12a7-41d3-9c32-f7fbde89b2f0","principalId": "7aa93b6d-efee-4d56-ad89-9fcdb5811d1d","principalType": "ServicePrincipal","resourceGroup": "mihuangr4case5-install-rg","roleDefinitionId": "/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7","scope": "/subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg","type": "Microsoft.Authorization/roleAssignments"}
## Step 5: Record role assignments BEFORE re-run with --preserve-existing-rolesIdentity 1 (image-registry) roles:$ az role assignment list --assignee f3e52b9c-1426-4647-86bb-0fcbf0a28323 --all -o tablePrincipal Role Scope------------------------------------ ------------------------------------------------------------------- --------------------------------------------------------------------------------------------7724f673-9361-4e42-a37a-57c35e0a03da mihuangr4case5-openshift-image-registry-installer-cloud-credentials /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg7724f673-9361-4e42-a37a-57c35e0a03da Storage Blob Data Reader /subscriptions/xxx/resourceGroups/mihuangr4case5-oidcIdentity 2 (ingress) roles:$ az role assignment list --assignee 7aa93b6d-efee-4d56-ad89-9fcdb5811d1d --all -o tablePrincipal Role Scope------------------------------------ ----------------------------------------------------------- --------------------------------------------------------------------------------------------f6076bd6-4278-4bea-be5d-8e3b51eda37c mihuangr4case5-openshift-ingress-operator-cloud-credentials /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rgf6076bd6-4278-4bea-be5d-8e3b51eda37c Reader /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg
## Step 6: Re-run create-managed-identities WITH --preserve-existing-rolesThis should preserve the manually added roles on each identity.$ ./ccoctl azure create-managed-identities --name mihuangr4case5 --credentials-requests-dir ./round2/credrequests --region eastus --subscription-id xxx --installation-resource-group-name mihuangr4case5-install-rg --issuer-url https://mihuangr4case5.blob.core.windows.net/mihuangr4case5 --oidc-resource-group-name mihuangr4case5-oidc --output-dir ./round4/case5/output --preserve-existing-roles2025/10/29 13:11:50 Found existing resource group /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:11:50 Cluster installation resource group name is mihuangr4case5-install-rg. This resource group MUST be configured as the resource group used for cluster installation.2025/10/29 13:11:50 Ignoring CredentialsRequest openshift-cloud-credential-operator/openshift-cluster-api-azure with tech-preview annotation2025/10/29 13:11:50 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials2025/10/29 13:11:51 Found existing customRole mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/d81dc28b-3ac6-43e7-b1e9-02453ea4103a2025/10/29 13:11:53 Updated customRole mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/d81dc28b-3ac6-43e7-b1e9-02453ea4103a2025/10/29 13:11:54 Found existing role assignment mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials for user-assigned managed identity with principal ID c0e7c7dc-030b-4310-aa3a-e7496639987c at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:11:55 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials/federatedIdentityCredentials/cloud-controller-manager2025/10/29 13:11:55 Saved credentials configuration to: round4/case5/output/manifests/openshift-cloud-controller-manager-azure-cloud-credentials-credentials.yaml2025/10/29 13:11:55 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-machine-api-azure-cloud-credentials2025/10/29 13:11:55 Found existing customRole mihuangr4case5-openshift-machine-api-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/6ad47bad-d52d-4de3-a30f-8732c73ddfa12025/10/29 13:11:57 Updated customRole mihuangr4case5-openshift-machine-api-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/6ad47bad-d52d-4de3-a30f-8732c73ddfa12025/10/29 13:11:58 Found existing role assignment mihuangr4case5-openshift-machine-api-azure-cloud-credentials for user-assigned managed identity with principal ID efaa6767-93dc-4981-be81-05153282e1e5 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:11:58 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-machine-api-azure-cloud-credentials/federatedIdentityCredentials/machine-api-controllers2025/10/29 13:11:58 Saved credentials configuration to: round4/case5/output/manifests/openshift-machine-api-azure-cloud-credentials-credentials.yaml2025/10/29 13:11:58 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-image-registry-installer-cloud-credentials2025/10/29 13:11:59 error ensuring custom role: PUT https://management.azure.com/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/c737343e-723d-4e17-9c7a-0e5c15a3c561--------------------------------------------------------------------------------RESPONSE 409: 409 ConflictERROR CODE: RoleDefinitionWithSameNameExists--------------------------------------------------------------------------------{"error": {"code": "RoleDefinitionWithSameNameExists","message": "A custom role with the same name already exists in this directory. Use a different name."}}--------------------------------------------------------------------------------
## Step 7: Waiting 3 minutes to allow Azure role definition replication...
## Waiting 3 minutes for Azure role definition replication...Wait started: Wed Oct 29 13:13:16 EDT 2025Wait completed: Wed Oct 29 13:16:16 EDT 2025

## Step 6 (Retry): Re-run create-managed-identities WITH --preserve-existing-roles after waiting$ ./ccoctl azure create-managed-identities --name mihuangr4case5 --credentials-requests-dir ./round2/credrequests --region eastus --subscription-id xxx --installation-resource-group-name mihuangr4case5-install-rg --issuer-url https://mihuangr4case5.blob.core.windows.net/mihuangr4case5 --oidc-resource-group-name mihuangr4case5-oidc --output-dir ./round4/case5/output --preserve-existing-roles2025/10/29 13:17:54 Found existing resource group /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:17:54 Cluster installation resource group name is mihuangr4case5-install-rg. This resource group MUST be configured as the resource group used for cluster installation.2025/10/29 13:17:54 Ignoring CredentialsRequest openshift-cloud-credential-operator/openshift-cluster-api-azure with tech-preview annotation2025/10/29 13:17:54 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials2025/10/29 13:17:55 Found existing customRole mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/d81dc28b-3ac6-43e7-b1e9-02453ea4103a2025/10/29 13:17:56 Updated customRole mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/d81dc28b-3ac6-43e7-b1e9-02453ea4103a2025/10/29 13:17:58 Found existing role assignment mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials for user-assigned managed identity with principal ID c0e7c7dc-030b-4310-aa3a-e7496639987c at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:17:58 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-controller-manager-azure-cloud-credentials/federatedIdentityCredentials/cloud-controller-manager2025/10/29 13:17:58 Saved credentials configuration to: round4/case5/output/manifests/openshift-cloud-controller-manager-azure-cloud-credentials-credentials.yaml2025/10/29 13:17:59 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-machine-api-azure-cloud-credentials2025/10/29 13:17:59 Found existing customRole mihuangr4case5-openshift-machine-api-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/6ad47bad-d52d-4de3-a30f-8732c73ddfa12025/10/29 13:18:01 Updated customRole mihuangr4case5-openshift-machine-api-azure-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/6ad47bad-d52d-4de3-a30f-8732c73ddfa12025/10/29 13:18:02 Found existing role assignment mihuangr4case5-openshift-machine-api-azure-cloud-credentials for user-assigned managed identity with principal ID efaa6767-93dc-4981-be81-05153282e1e5 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:18:02 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-machine-api-azure-cloud-credentials/federatedIdentityCredentials/machine-api-controllers2025/10/29 13:18:02 Saved credentials configuration to: round4/case5/output/manifests/openshift-machine-api-azure-cloud-credentials-credentials.yaml2025/10/29 13:18:02 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-image-registry-installer-cloud-credentials2025/10/29 13:18:02 Found existing customRole mihuangr4case5-openshift-image-registry-installer-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/c3370431-b38b-4119-ae6a-3da6a89f29212025/10/29 13:18:03 Updated customRole mihuangr4case5-openshift-image-registry-installer-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/c3370431-b38b-4119-ae6a-3da6a89f29212025/10/29 13:18:03 Found existing role assignment mihuangr4case5-openshift-image-registry-installer-cloud-credentials for user-assigned managed identity with principal ID f3e52b9c-1426-4647-86bb-0fcbf0a28323 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:18:03 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-image-registry-installer-cloud-credentials/federatedIdentityCredentials/cluster-image-registry-operator2025/10/29 13:18:03 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-image-registry-installer-cloud-credentials/federatedIdentityCredentials/registry2025/10/29 13:18:03 Saved credentials configuration to: round4/case5/output/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml2025/10/29 13:18:03 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-ingress-operator-cloud-credentials2025/10/29 13:18:03 Found existing customRole mihuangr4case5-openshift-ingress-operator-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/0fb9647a-9372-4a26-b224-7514e0de0e7c2025/10/29 13:18:05 Updated customRole mihuangr4case5-openshift-ingress-operator-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/0fb9647a-9372-4a26-b224-7514e0de0e7c2025/10/29 13:18:06 Found existing role assignment mihuangr4case5-openshift-ingress-operator-cloud-credentials for user-assigned managed identity with principal ID 7aa93b6d-efee-4d56-ad89-9fcdb5811d1d at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:18:06 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-ingress-operator-cloud-credentials/federatedIdentityCredentials/ingress-operator2025/10/29 13:18:06 Saved credentials configuration to: round4/case5/output/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml2025/10/29 13:18:06 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-network-config-controller-cloud-credentials2025/10/29 13:18:06 Found existing customRole mihuangr4case5-openshift-cloud-network-config-controller-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/46841770-fa2a-4960-b8c0-31d2ddb611052025/10/29 13:18:07 Updated customRole mihuangr4case5-openshift-cloud-network-config-controller-cloud-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/46841770-fa2a-4960-b8c0-31d2ddb611052025/10/29 13:18:08 Found existing role assignment mihuangr4case5-openshift-cloud-network-config-controller-cloud-credentials for user-assigned managed identity with principal ID b4406f4f-f426-4ef9-8202-ccd71d24fbd3 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:18:08 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cloud-network-config-controller-cloud-credentials/federatedIdentityCredentials/cloud-network-config-controller2025/10/29 13:18:08 Saved credentials configuration to: round4/case5/output/manifests/openshift-cloud-network-config-controller-cloud-credentials-credentials.yaml2025/10/29 13:18:08 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials2025/10/29 13:18:09 Found existing customRole mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/106fa42e-a425-4c75-93e1-73f8e2f886732025/10/29 13:18:11 Updated customRole mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/106fa42e-a425-4c75-93e1-73f8e2f886732025/10/29 13:18:11 Found existing role assignment mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials for user-assigned managed identity with principal ID 6cc2c54e-ad67-4f0f-ab3b-0a5dffefc563 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:18:11 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials/federatedIdentityCredentials/azure-disk-csi-driver-operator2025/10/29 13:18:11 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials/federatedIdentityCredentials/azure-disk-csi-driver-controller-sa2025/10/29 13:18:11 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-disk-credentials/federatedIdentityCredentials/azure-disk-csi-driver-node-sa2025/10/29 13:18:11 Saved credentials configuration to: round4/case5/output/manifests/openshift-cluster-csi-drivers-azure-disk-credentials-credentials.yaml2025/10/29 13:18:11 Found existing user-assigned managed identity /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials2025/10/29 13:18:12 Found existing customRole mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/bb6b37ac-2116-484e-8254-11d9fe4aba572025/10/29 13:18:13 Updated customRole mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials /subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/bb6b37ac-2116-484e-8254-11d9fe4aba572025/10/29 13:18:13 Found existing role assignment mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials for user-assigned managed identity with principal ID 5f81c59c-b60d-4b75-8d06-17b9bf484754 at scope /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg2025/10/29 13:18:13 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials/federatedIdentityCredentials/azure-file-csi-driver-operator2025/10/29 13:18:14 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials/federatedIdentityCredentials/azure-file-csi-driver-controller-sa2025/10/29 13:18:14 Found existing federated identity credential /subscriptions/xxx/resourcegroups/mihuangr4case5-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mihuangr4case5-openshift-cluster-csi-drivers-azure-file-credentials/federatedIdentityCredentials/azure-file-csi-driver-node-sa2025/10/29 13:18:14 Saved credentials configuration to: round4/case5/output/manifests/openshift-cluster-csi-drivers-azure-file-credentials-credentials.yaml

SUCCESS! After waiting 3 minutes for Azure replication, all custom roles were found and updated.
## Step 7: Verify role assignments AFTER successful re-runIdentity 1 (image-registry) roles:$ az role assignment list --assignee f3e52b9c-1426-4647-86bb-0fcbf0a28323 --all -o tablePrincipal Role Scope------------------------------------ ------------------------------------------------------------------- --------------------------------------------------------------------------------------------7724f673-9361-4e42-a37a-57c35e0a03da mihuangr4case5-openshift-image-registry-installer-cloud-credentials /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg7724f673-9361-4e42-a37a-57c35e0a03da Storage Blob Data Reader /subscriptions/xxx/resourceGroups/mihuangr4case5-oidcIdentity 2 (ingress) roles:$ az role assignment list --assignee 7aa93b6d-efee-4d56-ad89-9fcdb5811d1d --all -o tablePrincipal Role Scope------------------------------------ ----------------------------------------------------------- --------------------------------------------------------------------------------------------f6076bd6-4278-4bea-be5d-8e3b51eda37c mihuangr4case5-openshift-ingress-operator-cloud-credentials /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rgf6076bd6-4278-4bea-be5d-8e3b51eda37c Reader /subscriptions/xxx/resourceGroups/mihuangr4case5-install-rg

blocks

OCPBUGS-65800 Azure custom role definitions can experience replication delays

POST

clones

OCPBUGS-65798 Azure custom role definitions can experience replication delays

Verified

is blocked by

OCPBUGS-65798 Azure custom role definitions can experience replication delays

Verified

is cloned by

OCPBUGS-65800 Azure custom role definitions can experience replication delays

POST

links to

openshift/cloud-credential-operator#949: [release-4.19] OCPBUGS-65799: ccoctl azure: retry custom role creation on consistency errors

Assignee:: Jeremiah Stuever

Reporter:: Mingxia Huang

Need Info From:: None

Contributors:: None

QA Contact:: Mingxia Huang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/11/19 7:07 PM

Updated:: 2025/11/27 7:05 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates