How do I Mount an Azure file share in Azure Container Instances using managed identities instead of a storage account key?

Reuben Cummings 50 Reputation points
2024-03-16T16:47:28.76+00:00

Following https://video2.skills-academy.com/en-us/azure/container-instances/container-instances-volume-azure-files I can mount the file share from a container using the storage account key. But is there a way to mount it without specifying the storage account key? I'd like to use RBAC/managed identities for all storage access so that I can disable shared_key_access. Is this possible?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,213 questions
Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
669 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anand Prakash Yadav 7,775 Reputation points Microsoft Vendor
    2024-03-19T12:03:00.04+00:00

    Hello Reuben Cummings,

    Thank you for posting your query here!

    I understand that you want to use Managed Identity to mount Azure File Shares.

    Managed Identity cannot be used for mounting Azure File Shares. The only options available are Shared Access Signature, Storage Account Name/Key or specify Storage Account connection string to connect to your File Service. If you wish, you can leave your Feedback in our Feedback channel. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure and I will be reporting this feature to our team as well.

    Please refer to these previous threads with a similar ask- https://stackoverflow.com/questions/69619084/is-it-possible-to-connect-azure-file-share-storage-account-from-c-sharp-consol
    https://video2.skills-academy.com/en-us/answers/questions/595264/is-it-possible-to-connect-azure-file-share-storage.html
    https://video2.skills-academy.com/en-us/answers/questions/193121/can-we-use-managed-identity-to-connect-to-azure-fi.html

    However, you might try using them to store and access the key in Azure Key Vault and map the share to a drive using PowerShell or C# code. Alternatively, you might want to try the File service REST API which authenticates using the share key too.

    Do let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments
  2. Dan Rios 1,735 Reputation points MVP
    2024-03-16T17:50:24.66+00:00

    Try using the Azure CLI - it does have an example for Rbac storage access:

    https://video2.skills-academy.com/en-us/cli/azure/container?view=azure-cli-latest#az-container-create-examples

    az container create -g MyResourceGroup --name myapp --image myimage:latest --assign-identity --scope /subscriptions/99999999-1bf0-4dda-aec3-cb9272f09590/MyResourceGroup/myRG/providers/Microsoft.Storage/storageAccounts/storage1

    Replace the GUID for the role you want to test e.g. storage blob contributor:

    https://video2.skills-academy.com/en-us/azure/role-based-access-control/built-in-roles#storage

    You can use the —assign-identity to create a system or user managed identity as well.

    see how you get on - let me know if you need any further help.

    If this answers your question please mark as accepted.