get error on EnsureClusterIdentityHasRbacToSelfManagedResources
liuzhiyong1982 opened this issue · 2 comments
When I attempt to deploy cluster-stamp.json, always get error on EnsureClusterIdentityHasRbacToSelfManagedResources deployment. I noticed there are actually 6 roleAssignments in this block. 4 of them regarding MI RBAC role assignments to subnet scope get the same error msg:
{
"status": "Failed",
"error": {
"code": "RoleAssignmentUpdateNotPermitted",
"message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated."
}
}
From my understanding, RBAC can only be applied on 1) Resource Groups 2) Resource (vnet is a resource and not subnets, subnets are the outcome of a resource) 3) Subscription
Subnets are not resources and you will not be able to restrict which subnets can and cannot be used, via RBAC/Custom roles feature.
Feel to correct me if I am wrong.
Sorry for the delay @liuzhiyong1982 -- when you get the "Tenant ID, application ID, principal ID, and scope are not allowed to be updated." message, that usually means that you have a lingering role assignment that exists from a prior deployment that wasn't deleted. For example, you deleted the resource group that contains the cluster and its adjacent, but didn't remove the managed identity assignment from the subnets that are managed by the prior cluster's identities. Each subnet is a resource that has its own role assignments in this case. Internally we run into this a lot when we are creating and doing partial deletes on resources to keep the inner loop tight :)
Let me know if you have any more questions.
Going to close this one as there haven't been any updates in about a month. Feel free to open a new issue or this one to continue the conversation. Thanks!