Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1753419

Summary: 4.2 on AZURE failed to create worker nodes
Product: OpenShift Container Platform Reporter: Arseni <akarshak>
Component: InstallerAssignee: Abhinav Dahiya <adahiya>
Installer sub component: openshift-installer QA Contact: Etienne Simard <esimard>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: aos-bugs, esimard, jokerman, jwesterl, kalexand, nstielau, scuppett, sdodson, vigoyal
Version: 4.2.0   
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-23 11:06:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output of oc logs cloud-credentials-operator
none
Azure Permissions Screenshot none

Description Arseni 2019-09-18 21:06:48 UTC 
Created attachment 1616446 [details]
output of oc logs cloud-credentials-operator

Installing OCP 4.2 on Azure, followed pre-req to add permission and roles for service principal. Master nodes start and bootstrap node gets destroyed HOWEVER worker nodes do not get created. Very similar message as described in this Bug -> 
https://github.com/openshift/installer/issues/2334. Any help how to resolve it would be appreciated

Please advise what would the correct permission be. The output from 
oc logs -n openshift-cloud-credential-operator deploy/cloud-credential-operator

is attached
Comment 1 Devan Goodwin 2019-09-19 11:02:05 UTC 
WDYT Jan? Looks like it should have been covered by the service principal roles.
Comment 2 Jan Chaloupka 2019-09-19 11:26:45 UTC 
> Master nodes start and bootstrap node gets destroyed HOWEVER worker nodes do not get created. Very similar message as described in this Bug

That means the machine controller is not working properly. Also checking cloud-credential-operator logs:

```
time="2019-09-18T19:39:18Z" level=error msg="error syncing creds in mint-mode" actuator=azure cr=openshift-cloud-credential-operator/openshift-ingress-azure error="unable to list AAD applications: graphrbac.ApplicationsClient#List: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"Unknown\" Message=\"Unknown service error\" Details=[{\"odata.error\":{\"code\":\"Authorization_RequestDenied\",\"date\":\"2019-09-18T19:39:18\",\"message\":{\"lang\":\"en\",\"value\":\"Insufficient privileges to complete the operation.\"},\"requestId\":\"aa02ae0a-8241-4779-945a-a400ab58f4b3\"}}]"
```

your service principal does not have enough permissions to access Azure Active directory resources.

Can you double check your permission and make sure you use the right credentials when running the installer?
Comment 3 Arseni 2019-09-19 15:43:59 UTC 
1.your service principal does not have enough permissions to access Azure Active directory resources.

     —- I verified the permissions, see the screenshot attached

2. Can you double check your permission and make sure you use the right credentials when running the installer


     —- I ran the following command (from the doc) -> “$ az ad sp create-for-rbac --role Owner --name team-installer | jq --arg sub_id "$(az account show | jq -r '.id')" '{subscriptionId:$sub_id,clientId:.appId, clientSecret:.password,tenantId:.tenant}' > ~/.azure/osServicePrincipal.json“ and it created the osServicePrincipal.json file. I then manually verified the tenantID matches the Service Principal tentantID from the UI
Comment 4 Arseni 2019-09-19 15:44:37 UTC 
Created attachment 1616799 [details]
Azure Permissions Screenshot
Comment 5 Arseni 2019-09-19 17:54:29 UTC 
I think I found the issue. We need to update the instructions.
When on Step.4 we run the following command “$ az ad sp create-for-rbac --role Owner --name team-installer......“ it will create a Service Principal with the name team-installer. This is not what we want. We want to specify the Service Principal that we created earlier (in Step.1).
The instructions are not clear and got a lot of folks here in trouble too.
Comment 6 Arseni 2019-09-19 19:05:25 UTC 
The instructions I have followed https://github.com/openshift/installer/blob/master/docs/user/azure/credentials.md
Comment 15 Abhinav Dahiya 2019-10-15 16:34:21 UTC 
the installer docs were updated to fix the issue https://github.com/openshift/installer/pull/2388
Comment 21 errata-xmlrpc 2020-01-23 11:06:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062
Comment 22 Red Hat Bugzilla 2023-09-14 05:43:25 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days