Open mkemmerz opened 3 months ago
this driver would use workload identity to get access keys, if you don't want to use access keys, you could follow this example: Mount an azure blob storage with a dedicated user-assigned managed identity, while this example dose not use workload identity
this driver would use workload identity to get access keys, if you don't want to use access keys, you could follow this example: Mount an azure blob storage with a dedicated user-assigned managed identity, while this example dose not use workload identity
Not sure I understood, it should solve the mentioned issue? we have similar setup just like the example in your repository but we still see the MI is used for getting the Storage Key as mentioned by @mkemmerz
Could you please clarify? there is support to mount blob storage using fuse without storage key?
if you use the example(https://github.com/qxsch/Azure-Aks/tree/master/aks-blobfuse-mi), it would always mount with managed identity auth instead of account key, the key part is AzureStorageAuthType: MSI
volumeAttributes:
protocol: fuse
resourceGroup: aks-fuseblob-mi
storageAccount: myaksblob
containerName: mycontainer
AzureStorageAuthType: MSI
AzureStorageIdentityObjectID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
@andyzhangx Thank you we followed the guide and successfully mount blobs. Thanks razo
Hello, I have some questions to the Workload Identity feature.
Currently trying out the blob-csi-driver 1.24.1 release together with an AKS 1.29.2. I am not using the microsoft managed blob-csi-driver.
I only got the Workload Identity for blobs running if my Azure Storage Account has access keys enabled. The blob-node pod would print out the following message:
clientID(xxx) is specified, use service account token to get account key
This is in the blob.go
Azure also shows the access in the Activity log:
The Service Account Token should be used to directly access the Storage Account resources I think. The Workload Identity should allow to disable the access keys and only use RBAC for the Azure Storage Account. Maybe I missed something here or my setup is not correct or is this intended behaviour?