search

kubernetes-sigs / blob-csi-driver

Azure Blob Storage CSI driver
Apache License 2.0
118 stars 77 forks source link

Workload Identity requires Access Keys on Azure Storage Account to be enabled #1351

Open mkemmerz opened 3 months ago

mkemmerz commented 3 months ago

Hello, I have some questions to the Workload Identity feature.

Currently trying out the blob-csi-driver 1.24.1 release together with an AKS 1.29.2. I am not using the microsoft managed blob-csi-driver.

I only got the Workload Identity for blobs running if my Azure Storage Account has access keys enabled. The blob-node pod would print out the following message: clientID(xxx) is specified, use service account token to get account key

This is in the blob.go

// if client id is specified, we only use service account token to get account key
if clientID != "" {
    klog.V(2).Infof("clientID(%s) is specified, use service account token to get account key", clientID)
    if subsID == "" {
        subsID = d.cloud.SubscriptionID
    }
    accountKey, err := d.cloud.GetStorageAccesskeyFromServiceAccountToken(ctx, subsID, accountName, rgName, clientID, tenantID, serviceAccountToken)
    authEnv = append(authEnv, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
    return rgName, accountName, accountKey, containerName, authEnv, err
}

Azure also shows the access in the Activity log:

image

The Service Account Token should be used to directly access the Storage Account resources I think. The Workload Identity should allow to disable the access keys and only use RBAC for the Azure Storage Account. Maybe I missed something here or my setup is not correct or is this intended behaviour?

andyzhangx commented 3 months ago

this driver would use workload identity to get access keys, if you don't want to use access keys, you could follow this example: Mount an azure blob storage with a dedicated user-assigned managed identity, while this example dose not use workload identity

itzikbekelmicrosoft commented 1 month ago

this driver would use workload identity to get access keys, if you don't want to use access keys, you could follow this example: Mount an azure blob storage with a dedicated user-assigned managed identity, while this example dose not use workload identity

Not sure I understood, it should solve the mentioned issue? we have similar setup just like the example in your repository but we still see the MI is used for getting the Storage Key as mentioned by @mkemmerz

Could you please clarify? there is support to mount blob storage using fuse without storage key?

andyzhangx commented 1 month ago

if you use the example(https://github.com/qxsch/Azure-Aks/tree/master/aks-blobfuse-mi), it would always mount with managed identity auth instead of account key, the key part is AzureStorageAuthType: MSI

    volumeAttributes:
      protocol: fuse
      resourceGroup: aks-fuseblob-mi
      storageAccount: myaksblob
      containerName: mycontainer
      AzureStorageAuthType: MSI
      AzureStorageIdentityObjectID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
rohayon commented 4 weeks ago

@andyzhangx Thank you we followed the guide and successfully mount blobs. Thanks razo