Mount Volumes in ACI but without using Storage Account Keys

Devesh 60 Reputation points
2024-09-21T01:51:04.6133333+00:00

Is it possible that we can mount volumes but without using Storage Account Keys.

Ref: https://learn.microsoft.com/en-us/training/modules/create-run-container-images-azure-container-instances/6-mount-azure-file-share-azure-container-instances

This question is related to the following Learning Module

Azure Training
Azure Training
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Training: Instruction to develop new skills.
1,650 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmaranS 6,500 Reputation points Microsoft Vendor
    2024-09-21T02:39:57.6666667+00:00

    Hi Devesh,

    Thanks for reaching out on Microsoft Q&A. Try these steps:

    In Azure Container Instances (ACI), you can mount volumes without using storage account keys by leveraging Azure Managed Identities and Azure Files with Azure Role-Based Access Control (RBAC). Here's how you can do this:

    Steps to Mount Azure Files in ACI without Storage Account Keys

    1. Create an Azure Storage Account with a File Share:
      • First, create a storage account and a file share in Azure that you want to mount to your container.
    2. Create a User-Assigned Managed Identity:
      • Go to the Azure portal and create a user-assigned managed identity. This identity will be used to access your storage account without requiring storage keys.
    3. Assign Storage Blob Data Roles:
      • Assign your managed identity the Storage Blob Data Contributor role (or appropriate role) on the storage account or the specific file share.
        • Navigate to the Access Control (IAM) tab in your storage account.
        • Add a role assignment, search for "Storage Blob Data Contributor," and assign this to the managed identity.
    4. Deploy the ACI with Managed Identity and File Share:
      • Deploy your container in ACI with the managed identity attached. Ensure the ACI has the correct RBAC permissions to the storage account for reading or writing to the file share.
      • Use the Azure CLI or ARM/Bicep template to create the ACI.
      Example with Azure CLI:
     az container create \
         --resource-group <your-resource-group> \
         --name <your-container-instance-name> \
         --image <your-container-image> \
         --assign-identity <your-managed-identity-id> \
         --azure-file-volume-account-name <your-storage-account> \
         --azure-file-volume-share-name <your-file-share> \
         --azure-file-volume-mount-path <mount-path> \
         --role StorageBlobDataContributor
    
    1. Access the Mounted Volume:
      • Once deployed, your container should be able to access the Azure File Share using the managed identity's credentials, without needing to provide storage account keys.

    Key Benefits:

    • Enhanced Security:

    You no longer need to handle or distribute storage account keys, reducing the risk of credential exposure.

    • RBAC Control: The access is managed by Azure RBAC, providing fine-grained access control.
    • Seamless Management: Managed identities automatically rotate credentials and integrate seamlessly with Azure services.

    If this answer is helpful, please mark it as the answer and upvote it. If you need any more help, feel free to ask. Thanks!


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.