CycleCloud unable to access storage locker after disabling "Allow storage account key access"

Devin Payne 0 Reputation points Microsoft Employee

We have several CycleCloud/Slurm clusters running in Azure using Managed Identity. A recent security initiative has required us to disable the "Allow storage account key access" storage account configuration. After doing so, CycleCloud is unable to read from the storage locker/container. We receive a Http Status 403 in the cycle_server.log. I suspect cycle server requires us to have this configuration enabled.

Is it possible to use CycleCloud with a storage account that has "Allow storage account key access" disabled?

CycleCloud Version: 8.6.1-3248

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,813 questions
Azure CycleCloud
Azure CycleCloud
A Microsoft tool for creating, managing, operating, and optimizing high-performance computing (HPC) and big compute clusters in Azure.
62 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Amrinder Singh 3,795 Reputation points Microsoft Employee

    Hi Devin Payne - Thanks for reaching out.

    Disable the account keys access would disable the auth coming via Shared Keys , Account or Service SAS and the calls shall return a 403 during authorization.

    However you mentioned that you are using MI so there appears to be some configuration which might be using access keys and hence resulting into failure.

    You can start by enabling the diagnostic logging to check the auth method being passed. if you observe auth method other that OAUTH (i.e. AD) such as Shared Key or SAS this shall help in isolation.

    Hope that helps!