question

GhoshSanu-8837 avatar image
0 Votes"
GhoshSanu-8837 asked NandhaKumarNagarajan-7519 commented

How to remove deny assignment from ARO cluster which was assigned automatically during ARO cluster creation

Failed to update virtual machine 'ocp-xh45b-worker-australiaeast1-xtbtc'. Error: The client 'sanu.ghosh@fujitsu.com' with object id '540e5759-b7b6-4d74-87f3-ce5e9cef150e' has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope 'aro-l92n0fqz/providers/Microsoft.Compute/virtualMachines/ocp-xh45b-worker-australiaeast1-xtbtc'>ocp-xh45b-worker-australiaeast1-xtbtc'; however, the access is denied because of the deny assignment with name '5901f0c2-9094-59b4-9a77-c83ca3b768ca' and Id '5901f0c2909459b49a77c83ca3b768ca' at scope '/subscriptions/6ed90f42-1fd7-4b6f-a72e-ff059edc9e8b/resourcegroups/aro-l92n0fqz'.

azure-rbacazure-redhat-openshift
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you please share what updates/modifications you are trying to apply to the ARO resource group?

0 Votes 0 ·

1 Answer

karishmatiwari-msft avatar image
0 Votes"
karishmatiwari-msft answered NandhaKumarNagarajan-7519 commented

This happens when a user is trying to manage/change a managed resource [ARO resource group]. This is currently by design. After a user creates an ARO openShiftClusters resource, the ARO service creates a cluster resource group.

The end user doesn't have permissions to delete that cluster resource group. If they want it to go away they should delete the ARO openShiftClusters resource and the service will delete it again.

The ARO VMSS is fully managed by Azure. The deny action is intended. The cluster resource group is protected by a deny assignment which prevents the end user from inadvertently deleting or modifying it.


If this answers your query, do click “Accept the answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am also facing the same problem. Changes/actions I am trying to do is
1. Stop the instances (Workers and Masters). Because this is test environment and I don't want the instances to be running all the time - Denied
2. Create a new Backend Pool in Load Balancer created for this Openshift Cluster - Denied

But I feel these are valid changes and we should be able to do them.



0 Votes 0 ·