While following Setting up the Cloud Consumption Interface infrastructure using kubectl, specifically Step 1, part 2, you may encounter BadRequest or Forbidden errors when attempting to create a ProjectRoleBinding using the kubectl CLI for VMware Aria Automation Cloud Consumption Interface (CCI).

This issue typically occurs during the initial CCI infrastructure setup when you assign roles to users or groups.

Symptoms

You may observe the following error messages in the terminal:

Aria Automation 8.18.1

The issue is caused by a mismatch between the identity string used in the YAML file and the user's actual configuration in vIDM.

• Identity Format: The CCI documentation examples often use a UPN format (e.g., [email protected]). However, if vIDM is configured to use "short" usernames, the domain suffix must be omitted.
• API Validation: The CCI API requires that the metadata: name of the ProjectRoleBinding resource strictly match the subjects: name value.

Update the ProjectRoleBinding YAML configuration to align with your environment's identity source and CCI API requirements.

1. Verify Username: Confirm the exact username format as it appears in the Aria Automation Identity & Access Management (IAM) tab.
2. Align Metadata and Subject: Ensure the metadata: name field is identical to the subjects: name field.
3. Use Short Names: If your vIDM integration uses short-form usernames, remove the @domain.com suffix.

Corrected YAML Example:

apiVersion: authorization.cci.vmware.com/v1alpha1
kind: ProjectRoleBinding
metadata:
  name: jdoe              # MUST match subjects: name exactly
  namespace: my-project
roleRef:
  apiGroup: authorization.cci.vmware.com
  kind: ProjectRole
  name: admin
subjects:
- kind: User
  name: jdoe              # Use the short name used in vIDM

Apply Configuration: Run the create command again:

kubectl create -f projectrolebinding.yaml