docs: backport troubleshooting update to 2.16

2025-04-20 23:36:29 -04:00 · 2024-06-27 13:24:07 +02:00 · 2024-06-27 13:24:07 +02:00 · 0572a720a4
commit 0572a720a4
parent 07632453a3
1 changed files with 18 additions and 0 deletions
--- a/docs/versioned_docs/version-2.16/workflows/troubleshooting.md
+++ b/docs/versioned_docs/version-2.16/workflows/troubleshooting.md
@ -40,6 +40,24 @@ Or alternatively, for `terminate`:
 ARM_SKIP_PROVIDER_REGISTRATION=true constellation terminate
 ```

+### Azure: Can't update attestation policy
+
+On Azure, you may receive the following error when running `apply` from within an Azure environment, e.g., an Azure VM:
+
+```shell-session
+An error occurred: patching policies: updating attestation policy: unexpected status code: 403 Forbidden
+```
+
+The problem occurs because the Azure SDK we use internally attempts to [authenticate towards the Azure API with the managed identity of your current environment instead of the Azure CLI token](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential).
+
+We decided not to deviate from this behavior and comply with the ordering of credentials.
+
+A solution is to add the [required permissions](../getting-started/install.md#required-permissions) to the managed identity of your environment, the managed identity of your Azure VM, for example, instead of the account that you've authenticated with the Azure CLI.
+
+If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior.
+
+
+
 ### Nodes fail to join with error `untrusted measurement value`

 This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice).