How to access fileshare from POD using workload identity

Sriramulu, Latha 0

Trying to access azurefile share storage from POD using workload identity

Enabled workload identity, created managed identity and service account, assigned 'storage account contribiutor' role for the managed identiy by following the tutorial for accessing key vault secret. Any referral documents for file share?

I try by mounting the file share using PV and PVC and the below POD configuration

I dont know if any other ways to achieve the same.

I see this discussion forum https://github.com/Azure/AKS/issues/3432#issuecomment-1805051548

kind: Pod
apiVersion: v1
metadata:
  name: workload-identity-pod
  namespace: default
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: workload-service-account
  containers:
    - name: oidc
      image: ghcr.io/azure/azure-workload-identity/msal-go
      env:
      - name: KEYVAULT_URL
        value: https://kvdev.vault.azure.net/
      - name: SECRET_NAME
        value: myurl
      volumeMounts:
      - mountPath: /mnt/wi
        name: azure-workload
        readOnly: false
  nodeSelector:
    kubernetes.io/os: linux
  volumes: 
    - name: azure-workload
      persistentVolumeClaim: 
        claimName: wi-pvc

Sriramulu, Latha 0 Reputation points

2024-04-02T12:24:07.94+00:00

Hi Anand,

Thank you for your reply.

do you mean, we can't access Storage Account using Workload identity itself without secret key? Please correct me if I am wrong.

The benefit of going workload identity is to avoid secrets.

I already implemented access keyvalut secret that was working fine. And I see few merges mentioned here for the storage account requirement. https://github.com/Azure/AKS/issues/3432#issuecomment-1805051548
Sriramulu, Latha 0 Reputation points

2024-04-03T12:04:30.78+00:00

Hi Anand,

I don't understand your point "Another workaround mentioned that might help is to use Workload Identity with Azure Blob/File Storage as PVCs."

You say, we can use workload identity for Azure file storage? here. The same I am trying as well.

Sriramulu, Latha 0

Let me add in my PV and PVC configurations.

kind: PersistentVolume
metadata:
  name: wi-pv
  namespace: deafult
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: azurefile-csi
  csi:
    driver: file.csi.azure.com
    volumeHandle: pod-shared-storage
    volumeAttributes:
      resourceGroup: rgst-001
      shareName: stct001-preview
  mountOptions:
    - dir_mode=0777
    - file_mode=0777
    - uid=0
    - gid=0
    - mfsymlinks
    - cache=strict
    - nosharesock
    - nobr1


kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: wi-pvc
  namespace: default
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 500Mi
  volumeName: wi-pv
  storageClassName: azurefile-csi
yaml

Can I do this without CSI driver ?

1 answer

Anand Prakash Yadav 7,090 Reputation points Microsoft Vendor

2024-04-02T11:38:07.9266667+00:00

Hello Sriramulu, Latha,

Thank you for posting your query here!

Please note that the Azure File CSI driver currently uses a secret (the nodeStageSecretRef) to store the storage account key. This is used to mount the file share as a persistent volume. As of now, the CSI driver might not support using Managed Identities directly.
If you want to avoid storing the storage account key as a secret, can you try to use an init container in your Pod that uses the Managed Identity to retrieve the storage account key, and then dynamically create the secret required by the CSI driver. This way, the storage account key is not permanently stored in a Kubernetes secret.

Do let us know if you have any further queries. I’m happy to assist you further.
Please sign in to rate this answer.
Anand Prakash Yadav 7,090 Reputation points Microsoft Vendor

2024-04-03T11:24:26.1833333+00:00

Hello Sriramulu, Latha,

Yes, you are correct, while Workload Identity can be used to authenticate to many Azure services, the Azure File CSI driver might not support using Managed Identities directly for authentication. This is because the driver needs the storage account key to mount the file share.

However, based on the link you have shared, the alternative mentioned is to fetch storage account or SAS keys into a Secret on the Namespace where they want to register the PVC. Their interim solution is to store these keys in Azure Key Vault (AKV) and fetch them into the cluster using external-secrets. But that still requires that the credentials to be exposed on the cluster itself.

Another workaround mentioned that might help is to use Workload Identity with Azure Blob/File Storage as PVCs.

Wherein, you create an Azure Storage Account and a Workload Identity (WLI), ensuring the WLI has adequate permissions to access the storage account. Next, you define Kubernetes Storage Classes or Persistent Volumes (PVs) without explicitly specifying secret keys, alongside creating a Kubernetes Service Account. Then, establish a federated identity between the Service Account and WLI. Finally, deploy pods referencing the Service Account and mount storage volumes. Authorized pods can access the volumes, while unauthorized pods are prevented from starting up due to enforced access controls.

Do let us know if you have any further queries. I’m happy to assist you further.

Sriramulu, Latha 0 Reputation points

2024-04-12T10:23:12.7533333+00:00

Can you pls eloborate more. Please refer my configurations. I am trying the same but its not working.

"Wherein, you create an Azure Storage Account and a Workload Identity (WLI), ensuring the WLI has adequate permissions to access the storage account. Next, you define Kubernetes Storage Classes or Persistent Volumes (PVs) without explicitly specifying secret keys, alongside creating a Kubernetes Service Account. Then, establish a federated identity between the Service Account and WLI. Finally, deploy pods referencing the Service Account and mount storage volumes. Authorized pods can access the volumes, while unauthorized pods are prevented from starting up due to enforced access controls."

Anand Prakash Yadav 7,090 Reputation points Microsoft Vendor

2024-05-02T09:35:28.8233333+00:00

Hello Sriramulu, Latha,

In order to investigate this issue further, we would require some details from your end. I have requested the same in the 'Private Message' section. Kindly check it and get back to us.

Thank you.
Sign in to comment

Share via

How to access fileshare from POD using workload identity

1 answer