az aro create: --enable-managed-identity and related identity arguments not supported in CLI versions 2.77.0 #32120
Description
Describe the bug
We are trying to create an Azure Red Hat OpenShift (ARO) cluster using the az aro create command with the --enable-managed-identity flag and related identity assignment parameters (like --assign-identity, --assign-kubelet-identity), but the CLI throws an error saying these arguments are unrecognized.
We have tested this on multiple versions of Azure CLI:
2.77.0 (latest at the time)
2.67.0 (older version where we expected support throws Preview Warning)
Related command
az aro create
--resource-group
--name
--vnet /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/aro-vnet
--master-subnet master
--worker-subnet worker
--version 4.17.27
--enable-managed-identity
--assign-cluster-identity /subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/aro-cluster
--assign-platform-workload-identity file-csi-driver /subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/file-csi-driver
--assign-platform-workload-identity cloud-controller-manager /subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/cloud-controller-manager
... (more identities)
Errors
ERROR: unrecognized arguments:
--enable-managed-identity
--assign-cluster-identity ...
--assign-platform-workload-identity ...
Issue script & Debug output
Issue script
az aro create \
--resource-group <rg> \
--name <cluster-name> \
--vnet <vnet-id> \
--master-subnet master \
--worker-subnet worker \
--version 4.17.27 \
--enable-managed-identity \
--assign-cluster-identity <uami-id> \
--assign-platform-workload-identity file-csi-driver <uami-id> \
... \
--assign-platform-workload-identity disk-csi-driver <uami-id> \
--debug
#### Debug output
DEBUG: cli.knack.cli: Command arguments: ['aro', 'create', '--resource-group', 'conformance-aro-...', '--name', 'ARO-N-...', ... '--enable-managed-identity', ... '--assign-platform-workload-identity', ...]
DEBUG: cli.azure.cli.core: Modules found from index for 'aro': ['azure.cli.command_modules.aro']
...
ERROR: unrecognized arguments: --enable-managed-identity ... --assign-platform-workload-identity ...
### Expected behavior
These flags should be supported in the latest ARO CLI extension if they are documented.
The CLI should either create the cluster with the managed identities assigned or return a clear error that these arguments are not implemented/supported yet.
### Environment Summary
- az CLI 2.77.0 (latest at time of testing)
- ARO extension version: Installed via az extension add -n aro (latest)
- Python modules installed: msrestazure present
### Additional context
The same command used to work (with preview warnings) in Azure CLI 2.67, although it failed at runtime with:
ERROR: Insufficient privileges to complete the operation.
This shows that the following preview arguments existed in 2.67 but are no longer recognized in 2.77:
--enable-managed-identity
--assign-cluster-identity
--assign-platform-workload-identity
It is unclear if support for managed identities on ARO was intentionally removed or accidentally dropped during recent CLI refactors.
The older implementation relied on msrestazure-based Track 1 SDKs, and newer Azure CLI releases are migrating to Track 2 SDKs.
This migration might have removed these arguments from the az aro command group.