heat create-stack Forbidden: {"NeutronError": {"message": "Policy doesn't allow create_port to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}
When a tenant has multiple subnets available to the tenant it's required to select at least one to provision the machine. I tried using the sample template below to test this and the stack fails to create with a policy error.
heat_template_version: 2013-05-23
description: HOT template to deploy two servers to an existing Neutron network.
parameters:
key_name:
type: string
description: Name of keypair to assign to servers
image:
type: string
description: Name of image to use for servers
flavor:
type: string
description: Flavor to use for servers
net_id:
type: string
description: ID of Neutron network into which servers get deployed
subnet_id:
type: string
description: ID of Neutron sub network into which servers get deployed
resources:
server1:
type: OS::Nova::Server
properties:
name: Server1
image: { get_param: image }
flavor: { get_param: flavor }
key_name: { get_param: key_name }
networks:
- port: { get_resource: server1_port }
server1_port:
type: OS::Neutron::Port
properties:
network_id: { get_param: net_id }
fixed_ips:
- subnet_id: { get_param: subnet_id }
server2:
type: OS::Nova::Server
properties:
name: Server2
image: { get_param: image }
flavor: { get_param: flavor }
key_name: { get_param: key_name }
networks:
- port: { get_resource: server2_port }
server2_port:
type: OS::Neutron::Port
properties:
network_id: { get_param: net_id }
fixed_ips:
- subnet_id: { get_param: subnet_id }
outputs:
server1_provider_ip:
description: IP address of server1 in provider network
value: { get_attr: [ server1, first_address ] }
server2_provider_ip:
description: IP address of server2 in provider network
value: { get_attr: [ server2, first_address ] }
the event output is
status: create failed
reason: Forbidden: {"NeutronError": {"message": "Policy doesn't allow create_port to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}
even with a single subnet, passing the subnetID causes the same issue. It seems you can only do this if the subnet belongs to the tenant.
has anyone been able to overcome this issue? Is this a bug ?