![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 32%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,640 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Vikram Khorana,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Problem
I understand that you are in need to manage access to Azure Blob Storage for multiple tenants running in separate pods on an Azure Kubernetes Service (AKS) cluster. You made us to unnderstand that each tenant's data is stored in a separate blob container and due to the limit on the number of managed identities (20), you would like to find a way to restrict each pod's access to only its designated blob container without creating a separate managed identity for each tenant.
Solution
To solve the problem of restricting each pod to access only its designated blob container while avoiding the limit on the number of managed identities, you would need to follow the below steps:
- Assign appropriate roles to the managed identity to restrict access to specific containers by using a Single Managed Identity with RBAC. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- Store SAS tokens or connection strings in Azure Key Vault and restrict access to these secrets by using Azure Key Vault to Manage Secrets. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
- Create and store SAS tokens in Key Vault for each tenant's container. https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal
- Set up the pods to use the managed identity to retrieve SAS tokens from Key Vault and access the blob storage. https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview AND https://docs.microsoft.com/en-us/cli/azure/storage/container?view=azure-cli-latest#az-storage-container-generate-sas
References
To read more detail step by steps and knowledge purpose kindly use the below resources:
Managed identities for Azure resources.
Role-based access control (RBAC) in Azure.
Documentation on assigning roles using Azure CLI.
Creating and managing Azure Key Vault.
Tutorial on storing and retrieving secrets in Azure Key Vault.
Overview of Shared Access Signatures (SAS) in Azure Storage.
Documentation on generating SAS tokens using Azure CLI.
Introduction to Azure Kubernetes Service.
Guide on using Kubernetes secrets.
Example of using environment variables in Kubernetes pods.
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam