How to remove deny assignment from ARO cluster which was assigned automatically during ARO cluster creation

Question

Failed to update virtual machine 'ocp-xh45b-worker-australiaeast1-xtbtc'. Error: The client 'sanu.ghosh@Yoshimi, Shimamura .com' with object id '540e5759-b7b6-4d74-87f3-ce5e9cef150e' has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope 'aro-l92n0fqz/providers/Microsoft.Compute/virtualMachines/ocp-xh45b-worker-australiaeast1-xtbtc'>ocp-xh45b-worker-australiaeast1-xtbtc'; however, the access is denied because of the deny assignment with name '5901f0c2-9094-59b4-9a77-c83ca3b768ca' and Id '5901f0c2909459b49a77c83ca3b768ca' at scope '/subscriptions/6ed90f42-1fd7-4b6f-a72e-ff059edc9e8b/resourcegroups/aro-l92n0fqz'.

Answer 1

This happens when a user is trying to manage/change a managed resource [ARO resource group]. This is currently by design. After a user creates an ARO openShiftClusters resource, the ARO service creates a cluster resource group.

The end user doesn't have permissions to delete that cluster resource group. If they want it to go away they should delete the ARO openShiftClusters resource and the service will delete it again.

The ARO VMSS is fully managed by Azure. The deny action is intended. The cluster resource group is protected by a deny assignment which prevents the end user from inadvertently deleting or modifying it.

---

If this answers your query, do click “Accept the answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.