Control access to blob container from a pod running on AKS in a multi tenant deployment

Vikram Khorana 20 Reputation points
2024-06-22T12:36:45.6066667+00:00

We have a scenario where we are having a storage account that is accessed using user managed identity from pods on AKS. We have separate pods running for each tenant on AKS and have a separate blob container for storing a tenant's data. How can we restrict a pod for a tenant to access only the designated blob container and not access other tenant's blob container. Since there is a limit on the number of managed identities, which is 20. We dont want to create a separate managed identity for each tenant.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,576 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,962 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sina Salam 6,581 Reputation points
    2024-06-22T17:06:20.25+00:00

    Hello Vikram Khorana,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    I understand that you are in need to manage access to Azure Blob Storage for multiple tenants running in separate pods on an Azure Kubernetes Service (AKS) cluster. You made us to unnderstand that each tenant's data is stored in a separate blob container and due to the limit on the number of managed identities (20), you would like to find a way to restrict each pod's access to only its designated blob container without creating a separate managed identity for each tenant.

    Solution

    To solve the problem of restricting each pod to access only its designated blob container while avoiding the limit on the number of managed identities, you would need to follow the below steps:

    1. Assign appropriate roles to the managed identity to restrict access to specific containers by using a Single Managed Identity with RBAC. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
    2. Store SAS tokens or connection strings in Azure Key Vault and restrict access to these secrets by using Azure Key Vault to Manage Secrets. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
    3. Create and store SAS tokens in Key Vault for each tenant's container. https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal
    4. Set up the pods to use the managed identity to retrieve SAS tokens from Key Vault and access the blob storage. https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview AND https://docs.microsoft.com/en-us/cli/azure/storage/container?view=azure-cli-latest#az-storage-container-generate-sas

    References

    To read more detail step by steps and knowledge purpose kindly use the below resources:

    Managed identities for Azure resources.

    Role-based access control (RBAC) in Azure.

    Documentation on assigning roles using Azure CLI.

    Creating and managing Azure Key Vault.

    Tutorial on storing and retrieving secrets in Azure Key Vault.

    Overview of Shared Access Signatures (SAS) in Azure Storage.

    Documentation on generating SAS tokens using Azure CLI.

    Introduction to Azure Kubernetes Service.

    Guide on using Kubernetes secrets.

    Example of using environment variables in Kubernetes pods.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    0 comments No comments

0 additional answers

Sort by: Most helpful