Skip to content

OCPBUGS-74245: Azure - Fix system-assigned managed identity authentication#10355

Open
jianlinliu wants to merge 1 commit intoopenshift:mainfrom
jianlinliu:OCPBUGS-74245
Open

OCPBUGS-74245: Azure - Fix system-assigned managed identity authentication#10355
jianlinliu wants to merge 1 commit intoopenshift:mainfrom
jianlinliu:OCPBUGS-74245

Conversation

@jianlinliu
Copy link
Contributor

@jianlinliu jianlinliu commented Mar 4, 2026

When using system-assigned managed identity on Azure, the installer
fails to create resources because the AzureClusterIdentity manifest
is incorrectly configured with UserAssignedMSI type but no ClientID.

Root Cause:

When using system-assigned managed identity per Azure documentation,
users only provide subscriptionId and tenantId in osServicePrincipal.json
(no clientId). The installer correctly detects this as ManagedIdentityAuth,
but then sets the CAPZ AzureClusterIdentity type to UserAssignedMSI
with an empty ClientID field.

CAPZ (Cluster API Provider Azure) requires a ClientID when using
UserAssignedMSI type, causing the cluster infrastructure provisioning
to fail during bootstrap.

Fix:

Only set the ClientID field in AzureClusterIdentity when it's not empty.
This allows CAPZ to properly handle system-assigned managed identity
where no explicit client ID is needed - the system will use the
managed identity automatically assigned to the VM.

@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 4, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 4, 2026

@jianlinliu: This pull request references Jira Issue OCPBUGS-74245, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

When using system-assigned managed identity on Azure, the installer
fails to create resources because the AzureClusterIdentity manifest
is incorrectly configured with UserAssignedMSI type but no ClientID.

Root Cause:

When using system-assigned managed identity per Azure documentation,
users only provide subscriptionId and tenantId in osServicePrincipal.json
(no clientId). The installer correctly detects this as ManagedIdentityAuth,
but then sets the CAPZ AzureClusterIdentity type to UserAssignedMSI
with an empty ClientID field.

CAPZ (Cluster API Provider Azure) requires a ClientID when using
UserAssignedMSI type, causing the cluster infrastructure provisioning
to fail during bootstrap.

Fix:

Only set the ClientID field in AzureClusterIdentity when it's not empty.
This allows CAPZ to properly handle system-assigned managed identity
where no explicit client ID is needed - the system will use the
managed identity automatically assigned to the VM.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from jhixson74 and sadasu March 4, 2026 08:45
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 4, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sadasu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jianlinliu
Copy link
Contributor Author

jianlinliu commented Mar 4, 2026

/payload-job periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-oidc-managed-identity-system-f14

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 4, 2026

@jianlinliu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-verification-tests-main-installation-nightly-4.22-azure-ipi-oidc-managed-identity-system-f14

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b403cb30-17ab-11f1-84df-ae537f7631ca-0

@jianlinliu
Copy link
Contributor Author

jianlinliu commented Mar 4, 2026

/payload-job periodic-ci-openshift-verification-tests-main-installation-nightly-4.21-azure-ipi-oidc-managed-identity-system-f14

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 4, 2026

@jianlinliu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-verification-tests-main-installation-nightly-4.21-azure-ipi-oidc-managed-identity-system-f14

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4189f870-17d5-11f1-9f13-4837963c9429-0

@patrickdillon
Copy link
Contributor

patrickdillon commented Mar 6, 2026

It looks like upstream CAPZ does not support system assigned identities. I've opened kubernetes-sigs/cluster-api-provider-azure#6152 which would fix us.

Also proposed a workaround of retrieving the client id: #10367 But I'm not so sure we should do that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhixson74 jhixson74 Awaiting requested review from jhixson74

@sadasu sadasu Awaiting requested review from sadasu

Assignees

No one assigned

Labels

jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jianlinliu @openshift-ci-robot @patrickdillon