Skip to content

az aro create: --enable-managed-identity and related identity arguments not supported in CLI versions 2.77.0 #32120

Description

@v-mpurohit

Describe the bug

We are trying to create an Azure Red Hat OpenShift (ARO) cluster using the az aro create command with the --enable-managed-identity flag and related identity assignment parameters (like --assign-identity, --assign-kubelet-identity), but the CLI throws an error saying these arguments are unrecognized.

We have tested this on multiple versions of Azure CLI:

2.77.0 (latest at the time)

2.67.0 (older version where we expected support throws Preview Warning)

Related command

az aro create
--resource-group
--name
--vnet /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/aro-vnet
--master-subnet master
--worker-subnet worker
--version 4.17.27
--enable-managed-identity
--assign-cluster-identity /subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/aro-cluster
--assign-platform-workload-identity file-csi-driver /subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/file-csi-driver
--assign-platform-workload-identity cloud-controller-manager /subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/cloud-controller-manager
... (more identities)

Errors

ERROR: unrecognized arguments:
--enable-managed-identity
--assign-cluster-identity ...
--assign-platform-workload-identity ...

Issue script & Debug output

Issue script

az aro create \
  --resource-group <rg> \
  --name <cluster-name> \
  --vnet <vnet-id> \
  --master-subnet master \
  --worker-subnet worker \
  --version 4.17.27 \
  --enable-managed-identity \
  --assign-cluster-identity <uami-id> \
  --assign-platform-workload-identity file-csi-driver <uami-id> \
  ... \
  --assign-platform-workload-identity disk-csi-driver <uami-id> \
  --debug

#### Debug output
DEBUG: cli.knack.cli: Command arguments: ['aro', 'create', '--resource-group', 'conformance-aro-...', '--name', 'ARO-N-...', ... '--enable-managed-identity', ... '--assign-platform-workload-identity', ...]
DEBUG: cli.azure.cli.core: Modules found from index for 'aro': ['azure.cli.command_modules.aro']
...
ERROR: unrecognized arguments: --enable-managed-identity ... --assign-platform-workload-identity ...


### Expected behavior

These flags should be supported in the latest ARO CLI extension if they are documented.

The CLI should either create the cluster with the managed identities assigned or return a clear error that these arguments are not implemented/supported yet.

### Environment Summary

- az CLI 2.77.0 (latest at time of testing)

- ARO extension version: Installed via az extension add -n aro (latest)

- Python modules installed: msrestazure present

### Additional context

The same command used to work (with preview warnings) in Azure CLI 2.67, although it failed at runtime with:

ERROR: Insufficient privileges to complete the operation.


This shows that the following preview arguments existed in 2.67 but are no longer recognized in 2.77:

--enable-managed-identity

--assign-cluster-identity

--assign-platform-workload-identity

It is unclear if support for managed identities on ARO was intentionally removed or accidentally dropped during recent CLI refactors.

The older implementation relied on msrestazure-based Track 1 SDKs, and newer Azure CLI releases are migrating to Track 2 SDKs.
This migration might have removed these arguments from the az aro command group.

Metadata

Metadata

Assignees

Labels

AROaz aro (Azure Redhat OpenShift)Auto-AssignAuto assign by botService AttentionThis issue is responsible by Azure service team.Similar-Issueact-codegen-extensibility-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions