Dynamically provisioned storage account with shared key access disabled

[specialforest]

Is your feature request related to a problem?/Why is this needed I'd like to have dynamically provisioned storage account have shared key access disabled.

Describe the solution you'd like in detail Introduce new driver parameter that will control storage account shared key access setting (AccountOptions.AllowSharedKeyAccess)

Describe alternatives you've considered NA

Additional context https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent

[andyzhangx]

@specialforest that means you can only use nfs mount, disabling shared key access would disable blobfuse mount, is that what you want?

[specialforest]

I'm using blobfuse. As I understand blobfuse translates to Storage REST API and MSI/SPN auth are already supported, so seems technically possible. Could you please explain more "disabling shared key access would disable blobfuse mount" part, because I'm not really familiar with blobfuse/CSI driver implementation details?

[andyzhangx]

@specialforest yes, you could use msi auth, follow this guide: https://github.com/qxsch/Azure-Aks/tree/master/aks-blobfuse-mi, while you need to create a storage account first, and you could disable the shared key access in the storage account setting manually.

[specialforest]

Thanks, I saw that guide for an existing storage account. I'm interested to have shared key access disabled for storage account dynamically provisioned by Blob CSI driver.