Managed identity-enabled ACI can't access Storage Account

Pitawat 331 Reputation points
2021-08-10T10:32:27.167+00:00

I have an ACI which acts as an SFTP server that mounts Azure File Share as its storage. The ACI can be accessed publicly with username/password authentication just like normal SFTP servers. I don't want to open my Storage Account to be accessible from all networks.

I then assigned system-assigned managed identity called "Storage File Data SMB Share Contributor" to ACI and Storage Account, I thought it would be able to access the Storage Account regardless the networking is set to "Selected networks" and "Allow trusted Azure services..." It seems that ACI can't access the storage account after setting "Selected networks"

I have the following questions:

  1. How can I restrict access to Storage Account while keeping the ACI publicly accessible? (ACI should have public FQDN)
  2. If I set the Storage Account to open to all networks, why do I still need to specify --azure-file-volume-account-key parameter when running az container create command? Is it possible to purely use managed identity to mount the Storage Account without using any key?

Here's the command I use to create/update the ACI

az container create --subscription mysub -g myrg --cpu 1 --memory 1 --dns-name-label mysftpserver --image "myregistry/sftpserver:latest" --location southeastasia -n mysftpserver --ports 22 --protocol TCP --ip-address Public --azure-file-volume-share-name myfileshare --azure-file-volume-account-name mysftpstorage --azure-file-volume-mount-path "/home/sftp/upload" --azure-file-volume-account-key "mystorageaccountkey" --restart-policy OnFailure --verbose

Let me know if I need to provide more information. Thanks.

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
645 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,722 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. deherman-MSFT 33,701 Reputation points Microsoft Employee
    2021-08-11T18:29:31.797+00:00

    @Pitawat
    In order to access Azure Files through the private network you would need to deploy your container instances into a VNET. However you cannot currently used managed identities in a container group that is deployed to a virtual network. This means if you wish to have your network private you will need to use the storage account key to access Azure Files. For more limitations you can see the documentation here.

    For product feedback and feature requests I will refer you to our feedback forum. This allows the community to add their voice and upvote popular ideas. The forums are monitored and responded to by our product teams.
    https://feedback.azure.com/forums/602224-azure-container-instances

    Hope this helps. Let me know if you have further questions or issues and I will be happy to assist.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.