PAIF catalog deployment fails with a forbidden error when creating `virtualmachineservices` resources
search cancel

PAIF catalog deployment fails with a forbidden error when creating `virtualmachineservices` resources

book

Article ID: 438576

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

1.The system prevents the "service-account-tango-blueprint-serviceaccount" from creating resources in VCFA namespace with below error

Error creating resource: virtualmachineservices.vmoperator.vmware.com is forbidden: User "service-account-tango-blueprint-serviceaccount" cannot create resource "virtualmachineservices" in API group "vmoperator.vmware.com"

2.This catalog deployment previously succeeded prior to the removal of the external OIDC provider in VKS.

3.VCFA OIDC services generated a new identity provider when the old identity provider is removed in VKS, however the old OIDC client ID still exists in the supervisor rolebindings that can verify this by runningļ¼š

kubectl describe rolebindings -n <VCFA namespace> <rolebinding name of VCFA account >

Environment

VMware Cloud Foundation Automation 9.0.2

Resolution

1. Identify the Current OIDC Client ID:
Navigate to Supervisor > Configure > Identity Provider > Edit to find and record the Client ID for the VCFA OIDC services.
 
2. Update RoleBinding YAML:
Login to supervisor cluster and Update the RoleBinding YAML to reference the new identity provider by replacing the old Client ID with the new one:
 
For example:
 
- From: edit-xxxxxxxx-paifprojec@[Old Client ID].net
- To: edit-xxxxxxxx-paifprojec@[New Client ID].net
 
3. Apply Changes:
Apply the updated RoleBinding YAML to the affected namespace to restore the service account permissions.
 
Also could update the RoleBinding of OIDC in vSphere namespace UI:
 
Powered by Wolken Software