Skip to content

CycleCloud 8.7.3+ Installation Script Incompatibility with Managed Identity Storage Authentication #454

New issue
New issue
Open
Open
CycleCloud 8.7.3+ Installation Script Incompatibility with Managed Identity Storage Authentication#454
@vijay-acog

Description

@vijay-acog
vijay-acog
opened on Jan 6, 2026

CycleCloud 8.7.3+ Installation Script Incompatibility with Managed Identity Storage Authentication

## Issue Summary
The `cyclecloud_install_noport.py` installation script fails when deploying Azure CycleCloud 8.7.3
(and likely 8.8.x) with managed identity authentication for storage locker access. The script
appears to be designed for older CycleCloud versions and does not properly configure the storage
authentication mode required by CycleCloud 8.7.3+.

## Environment
- **CycleCloud Version**: 8.7.3 (8.7.320250909)
- **Deployment Method**: Azure Bicep/ARM templates
- **Authentication**: VM Managed Identity
- **Installation Script**: `cyclecloud_install_noport.py` (hosted on Azure Blob Storage)
- **Azure Region**: Central India
- **Date Encountered**: January 6, 2026

## Error Details

### Error Message
```
**** Error: Invalid locker authentication mode. Valid authentication modes are: ManagedIdentity,
SharedAccessKey
```

### Full Error Context
```
Error with cmd: ['/usr/local/bin/cyclecloud', 'account', 'create', '-f',
'/tmp/tmpq9vo5kew/azure_data.json']
Output: b''
Deployment failed...

subprocess.CalledProcessError: Command '['/usr/local/bin/cyclecloud', 'account', 'create', '-f',
'/tmp/tmpq9vo5kew/azure_data.json']' returned non-zero exit status 1.
```

## Steps to Reproduce

1. Deploy Azure CycleCloud using Bicep template with the following configuration:
   - CycleCloud version: `8.7.320250909`
   - VM with system-assigned managed identity
   - Managed identity has:
     - Contributor role at subscription level
     - Storage Blob Data Contributor role on the storage account
   - Use `--useManagedIdentity` flag in installation command

2. Run the installation script with command:
```bash
python3 cyclecloud_install_noport.py --acceptTerms --azureSovereignCloud public \
  --username admin --password <password> --publickey "<ssh-key>" \
  --hostname <fqdn> --storageAccount <storage-account> --resourceGroup <rg-name> \
  --useLetsEncrypt --webServerPort 80 --webServerSslPort 443 \
  --webServerMaxHeapSize 4096M --useManagedIdentity \
  --psqlUser <user> --psqlPassword <password> --psqlServer <server> \
  --dbName <db> --subnetID <subnet> --subscriptionID <sub-id> --region centralindia
```

3. The installation script creates an Azure account configuration JSON but fails to specify the
proper storage locker authentication mode for CycleCloud 8.7.3+

## Expected Behavior
The installation script should:
1. Detect CycleCloud 8.7.3+ and configure storage locker authentication mode as "ManagedIdentity"
when `--useManagedIdentity` flag is provided
2. Create a valid account configuration that CycleCloud 8.7.3+ accepts
3. Successfully register the Azure account with the storage locker configured for managed identity
authentication

## Actual Behavior
The script creates an account configuration that CycleCloud 8.7.3 rejects with:
```
Invalid locker authentication mode. Valid authentication modes are: ManagedIdentity, SharedAccessKey
```

## Workaround
**CycleCloud 8.6.3 works correctly** with the same installation script and configuration. The issue
appears to be specific to CycleCloud 8.7.3+ which has stricter requirements for storage locker
authentication configuration.

## Root Cause Analysis
The `cyclecloud_install_noport.py` script likely:
1. Does not specify the `AuthMode` or `LockerAuthMode` field in the Azure account JSON
2. Uses a default authentication mode that is incompatible with CycleCloud 8.7.3+
3. May not be updated to support the new storage authentication requirements introduced in
CycleCloud 8.7.x

## Suggested Fix
Update the `cyclecloud_install_noport.py` script to:
1. Include proper storage locker authentication mode configuration for CycleCloud 8.7.3+
2. When `--useManagedIdentity` is specified, explicitly set the locker authentication mode to
"ManagedIdentity"
3. Version the script to support different CycleCloud versions (8.6.x, 8.7.x, 8.8.x)
4. Publish the script in a public GitHub repository for transparency and community contributions

## Impact
- Users cannot deploy CycleCloud 8.7.3 or newer versions using managed identity authentication
- Forces users to either:
  - Remain on older CycleCloud 8.6.3 version
  - Use service principal authentication (less secure than managed identity)
  - Manually configure storage authentication after deployment

## Related Information
- CycleCloud 8.7.3 release date: September 9, 2025
- CycleCloud 8.8.1 is the latest version as of January 2026
- Storage locker authentication modes in CycleCloud 8.7.3+: ManagedIdentity, SharedAccessKey

## Request
Please update the installation script to support CycleCloud 8.7.3+ with managed identity storage
authentication. This will allow users to leverage the latest CycleCloud features and security
improvements.

## Additional Context
The installation script URL currently used in deployment templates:
```
https://protenggsetup2.blob.core.windows.net/setup/cyclecloud_install_noport.py
```

This appears to be a private blob storage location. Consider:
1. Publishing the script in the official Azure CycleCloud GitHub repository
2. Providing version-specific scripts or version detection logic
3. Documenting storage authentication requirements for each CycleCloud version

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions