Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,814 questions
When will the Azure Storage FUSE driver (Blobfuse2) support MS Entra Workload Id for mounting to AKS?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 48%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Andrej
6
Reputation points
This GitHub issue details the issue many customers are experiencing attempting to mount Azure Blob Storage to AKS Pods, using Managed Identity (MS Entra Workload Id) and the Azure Storage FUSE driver (Blobfuse2): https://github.com/Azure/AKS/issues/3432#issuecomment-2377117830
Existing documentation is confusing for customers and does not mention the current issues as limitations nor when they will be resolved. For example mounting is NOT supported using Managed Identity, instead the underlying implementation requires elevated Azure Blob Storage privileges (Contributor Role), which many highly regulated customers see as increasing the security risk posture.
{count} votes
-
Sumarigo-MSFT 45,801 Reputation points Microsoft Employee2024-09-28T04:59:21.2766667+00:00 @Andrej Thanks for raising this good question. I’m checking on this internally with the product & Content team and will get back to you with something concrete.
Additional information:
- Managed Identity in AKS:
- Managed identities for Azure resources are the recommended way to authorize access from an AKS cluster to other Azure services. However, there are limitations and specific configurations required to make it work seamlessly
- The Azure Kubernetes Service (AKS) clusters require a Microsoft Entra identity to access Azure resources like load balancers and managed disks Use a managed identity in Azure Kubernetes Service (AKS)
- Field Tips for AKS Storage Provisioning:
- There are steps to use Managed Identity for accessing Azure Blob Storage using BlobFuse on AKS, but these steps are not straightforward and require careful implementation Field tips for AKS storage provisioning | Argon Systems
- Persistent Volume with Azure Blob Storage:
- Creating a persistent volume with Azure Blob Storage for use with multiple concurrent pods in AKS involves enabling the Blob storage CSI driver on your AKS cluster Create a persistent volume with Azure Blob storage in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn
- Managed Identity in AKS:
Sign in to comment
Sign in to answer