ARO cluster creation fails with error: Values of identifierUris property must use a verified domain of the organization or its subdomain
Environment
- Azure Red Hat OpenShift (ARO)
- 4
- OpenShift Managed (Azure)
- 4
Issue
- Cannot create an ARO cluster using
az aro createcommand. -
The following errors are shown when trying to create a new ARO cluster:
{"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Values of identifierUris property must use a verified domain of the organization or its subdomain: 'https://az.aro.azure.com/uuid'"},"requestId":"XXXXXXXX","date":"2021-10-20T00:00:01","values":[{"item":"PropertyName","value":"identifierUris"},{"item":"PropertyErrorCode","value":"HostNameNotOnVerifiedDomain"},{"item":"HostName","value":"https://az.aro.azure.com/uuid"}]}}msrest.exceptions: Values of identifierUris property must use a verified domain of the organization or its subdomain
Resolution
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
This issue has been fixed in Azure CLI version 2.25.0. Please, update the Azure CLI to that or a newer version.
Workaround
The workaround for previous Azure CLI versions is to create an Azure Service Principal before creating the cluster, and passing the client-id to the az aro create command:
az aro create --client-id [XXXXXXXXX] --client-secret [YYYYYYYYYY] [other_required_parameters]
Note: refer to Create the cluster for the additional parameters.
Root Cause
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
After an API change introduced in Azure in October 2021 (AppId Uri in single tenant applications will require use of default scheme or verified domains, the az aro create default behavior of creating the Service Principal for new clusters is failing.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments