r4f4
diff --git a/‎go.mod‎
Lines changed: 1 addition & 0 deletions b/‎go.mod‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 2 additions & 0 deletions b/‎go.sum‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/asset/machines/azure/azuremachines.go‎
Lines changed: 14 additions & 0 deletions b/‎pkg/asset/machines/azure/azuremachines.go‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎pkg/infrastructure/azure/azure.go‎
Lines changed: 116 additions & 33 deletions b/‎pkg/infrastructure/azure/azure.go‎
Lines changed: 116 additions & 33 deletions
@@ -9,6 +9,7 @@ require (
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0
 
@@ -1174,6 +1174,8 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6Z
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 h1:H+U3Gk9zY56G3u872L82bk4thcsy2Gghb9ExT4Zvm1o=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0/go.mod h1:mgrmMSgaLp9hmax62XQTd0N4aAqSE5E0DulSpVYK7vc=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2 h1:qiir/pptnHqp6hV8QwV+IExYIf6cPsXBfUDUXQ27t2Y=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2/go.mod h1:jVRrRDLCOuif95HDYC23ADTMlvahB7tMdl519m9Iyjc=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1 h1:UPeCRD+XY7QlaGQte2EVI2iOcWvUYA2XY8w5T/8v0NQ=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1/go.mod h1:oGV6NlB0cvi1ZbYRR2UN44QHxWFyGk+iylgD0qaMXjA=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0 h1:LkHbJbgF3YyvC53aqYGR+wWQDn2Rdp9AQdGndf9QvY4=
 
@@ -45,6 +45,8 @@ func GenerateMachines(platform *azure.Platform, pool *types.MachinePool, userDat
 		return nil, fmt.Errorf("failed to create machineapi.TagSpecifications from UserTags: %w", err)
 	}
 
+	userAssignedIdentityID := fmt.Sprintf("/subscriptions/%s/resourcegroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s-identity", subscriptionID, resourceGroup, clusterID)
+
 	var image *capz.Image
 	osImage := mpool.OSImage
 	galleryName := strings.ReplaceAll(clusterID, "-", "_")
@@ -141,6 +143,12 @@ func GenerateMachines(platform *azure.Platform, pool *types.MachinePool, userDat
 						AcceleratedNetworking: ptr.To(mpool.VMNetworkingType == azure.AcceleratedNetworkingEnabled),
 					},
 				},
+				Identity: capz.VMIdentityUserAssigned,
+				UserAssignedIdentities: []capz.UserAssignedIdentity{
+					{
+						ProviderID: userAssignedIdentityID,
+					},
+				},
 			},
 		}
 		azureMachine.SetGroupVersionKind(capz.GroupVersion.WithKind("AzureMachine"))
@@ -202,6 +210,12 @@ func GenerateMachines(platform *azure.Platform, pool *types.MachinePool, userDat
 			AllocatePublicIP:       false,
 			AdditionalCapabilities: additionalCapabilities,
 			SecurityProfile:        securityProfile,
+			Identity:               capz.VMIdentityUserAssigned,
+			UserAssignedIdentities: []capz.UserAssignedIdentity{
+				{
+					ProviderID: userAssignedIdentityID,
+				},
+			},
 		},
 	}
 	bootstrapAzureMachine.SetGroupVersionKind(capz.GroupVersion.WithKind("AzureMachine"))
 
@@ -11,12 +11,14 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage"
 	"github.com/coreos/stream-metadata-go/arch"
+	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
 	"k8s.io/utils/ptr"
 	capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
@@ -30,6 +32,11 @@ import (
 	aztypes "github.com/openshift/installer/pkg/types/azure"
 )
 
+const (
+	retryTime  = 10 * time.Second
+	retryCount = 6
+)
+
 // Provider implements Azure CAPI installation.
 type Provider struct {
 	ResourceGroupName    string
@@ -92,7 +99,7 @@ func (p *Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionI
 		return fmt.Errorf("failed to get azure resource groups factory: %w", err)
 	}
 	resourceGroupsClient := resourcesClientFactory.NewResourceGroupsClient()
-	resourceGroup, err := resourceGroupsClient.CreateOrUpdate(
+	_, err = resourceGroupsClient.CreateOrUpdate(
 		ctx,
 		resourceGroupName,
 		armresources.ResourceGroup{
@@ -105,9 +112,117 @@ func (p *Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionI
 	if err != nil {
 		return fmt.Errorf("error creating resource group %s: %w", resourceGroupName, err)
 	}
+	resourceGroup, err := resourceGroupsClient.Get(ctx, resourceGroupName, nil)
+	if err != nil {
+		return fmt.Errorf("error getting resource group %s: %w", resourceGroupName, err)
+	}
+
 	logrus.Debugf("ResourceGroup.ID=%s", *resourceGroup.ID)
 	p.ResourceGroupName = resourceGroupName
 
+	// Create user assigned identity
+	userAssignedIdentityName := fmt.Sprintf("%s-identity", in.InfraID)
+	armmsiClientFactory, err := armmsi.NewClientFactory(
+		subscriptionID,
+		tokenCredential,
+		&arm.ClientOptions{
+			ClientOptions: policy.ClientOptions{
+				Cloud: cloudConfiguration,
+			},
+		},
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create armmsi client: %w", err)
+	}
+	_, err = armmsiClientFactory.NewUserAssignedIdentitiesClient().CreateOrUpdate(
+		ctx,
+		resourceGroupName,
+		userAssignedIdentityName,
+		armmsi.Identity{
+			Location: ptr.To(platform.Region),
+			Tags:     tags,
+		},
+		nil,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create user assigned identity %s: %w", userAssignedIdentityName, err)
+	}
+	userAssignedIdentity, err := armmsiClientFactory.NewUserAssignedIdentitiesClient().Get(
+		ctx,
+		resourceGroupName,
+		userAssignedIdentityName,
+		nil,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to get user assigned identity %s: %w", userAssignedIdentityName, err)
+	}
+	principalID := *userAssignedIdentity.Properties.PrincipalID
+
+	logrus.Debugf("UserAssignedIdentity.ID=%s", *userAssignedIdentity.ID)
+	logrus.Debugf("PrinciapalID=%s", principalID)
+
+	clientFactory, err := armauthorization.NewClientFactory(
+		subscriptionID,
+		tokenCredential,
+		&arm.ClientOptions{
+			ClientOptions: policy.ClientOptions{
+				Cloud: cloudConfiguration,
+			},
+		},
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create armauthorization client: %w", err)
+	}
+
+	roleDefinitionsClient := clientFactory.NewRoleDefinitionsClient()
+
+	var contributor *armauthorization.RoleDefinition
+	roleDefinitionsPager := roleDefinitionsClient.NewListPager(*resourceGroup.ID, nil)
+	for roleDefinitionsPager.More() {
+		roleDefinitionsList, err := roleDefinitionsPager.NextPage(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to find any role definitions: %w", err)
+		}
+		for _, roleDefinition := range roleDefinitionsList.Value {
+			if *roleDefinition.Properties.RoleName == "Contributor" {
+				contributor = roleDefinition
+				break
+			}
+		}
+	}
+	if contributor == nil {
+		return fmt.Errorf("failed to find contributor definition")
+	}
+
+	roleAssignmentsClient := clientFactory.NewRoleAssignmentsClient()
+	scope := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", subscriptionID, resourceGroupName)
+	roleAssignmentUUID := uuid.New().String()
+
+	// XXX: Azure doesn't like creating an identity and immediately
+	// creating a role assignment for the identity. There can be
+	// replication delays. So, retry every 10 seconds for a minute until
+	// the role assignment gets created.
+	//
+	// See https://aka.ms/docs-principaltype
+	for i := 0; i < retryCount; i++ {
+		_, err = roleAssignmentsClient.Create(ctx, scope, roleAssignmentUUID,
+			armauthorization.RoleAssignmentCreateParameters{
+				Properties: &armauthorization.RoleAssignmentProperties{
+					PrincipalID:      ptr.To(principalID),
+					RoleDefinitionID: contributor.ID,
+				},
+			},
+			nil,
+		)
+		if err == nil {
+			break
+		}
+		time.Sleep(retryTime)
+	}
+	if err != nil {
+		return fmt.Errorf("failed to create role assignment: %w", err)
+	}
+
 	return nil
 }
 
@@ -171,38 +286,6 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 	storageURL := fmt.Sprintf("https://%s.blob.core.windows.net", storageAccountName)
 	blobURL := fmt.Sprintf("%s/%s/%s", storageURL, containerName, blobName)
 
-	// Create user assigned identity
-	userAssignedIdentityName := fmt.Sprintf("%s-identity", in.InfraID)
-	armmsiClientFactory, err := armmsi.NewClientFactory(
-		subscriptionID,
-		tokenCredential,
-		&arm.ClientOptions{
-			ClientOptions: policy.ClientOptions{
-				Cloud: cloudConfiguration,
-			},
-		},
-	)
-	if err != nil {
-		return fmt.Errorf("failed to create armmsi client: %w", err)
-	}
-	userAssignedIdentity, err := armmsiClientFactory.NewUserAssignedIdentitiesClient().CreateOrUpdate(
-		ctx,
-		resourceGroupName,
-		userAssignedIdentityName,
-		armmsi.Identity{
-			Location: ptr.To(platform.Region),
-			Tags:     tags,
-		},
-		nil,
-	)
-	if err != nil {
-		return fmt.Errorf("failed to create user assigned identity %s: %w", userAssignedIdentityName, err)
-	}
-	principalID := *userAssignedIdentity.Properties.PrincipalID
-
-	logrus.Debugf("UserAssignedIdentity.ID=%s", *userAssignedIdentity.ID)
-	logrus.Debugf("PrinciapalID=%s", principalID)
-
 	// Create storage account
 	createStorageAccountOutput, err := CreateStorageAccount(ctx, &CreateStorageAccountInput{
 		SubscriptionID:     subscriptionID,