Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
For anyone following this thread, hot off the press: workload identity support on static provisioning
When will the Azure Storage FUSE driver (Blobfuse2) support MS Entra Workload Id for mounting to AKS?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 48%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Andrej
11
Reputation points
This GitHub issue details the issue many customers are experiencing attempting to mount Azure Blob Storage to AKS Pods, using Managed Identity (MS Entra Workload Id) and the Azure Storage FUSE driver (Blobfuse2): https://github.com/Azure/AKS/issues/3432#issuecomment-2377117830
Existing documentation is confusing for customers and does not mention the current issues as limitations nor when they will be resolved. For example mounting is NOT supported using Managed Identity, instead the underlying implementation requires elevated Azure Blob Storage privileges (Contributor Role), which many highly regulated customers see as increasing the security risk posture.
Azure Blob Storage
Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
-
Sumarigo-MSFT 47,511 Reputation points Microsoft Employee Moderator2024-09-28T04:59:21.2766667+00:00 @Andrej Thanks for raising this good question. I’m checking on this internally with the product & Content team and will get back to you with something concrete.
Additional information:
- Managed Identity in AKS:
- Managed identities for Azure resources are the recommended way to authorize access from an AKS cluster to other Azure services. However, there are limitations and specific configurations required to make it work seamlessly
- The Azure Kubernetes Service (AKS) clusters require a Microsoft Entra identity to access Azure resources like load balancers and managed disks Use a managed identity in Azure Kubernetes Service (AKS)
- Field Tips for AKS Storage Provisioning:
- There are steps to use Managed Identity for accessing Azure Blob Storage using BlobFuse on AKS, but these steps are not straightforward and require careful implementation Field tips for AKS storage provisioning | Argon Systems
- Persistent Volume with Azure Blob Storage:
- Creating a persistent volume with Azure Blob Storage for use with multiple concurrent pods in AKS involves enabling the Blob storage CSI driver on your AKS cluster Create a persistent volume with Azure Blob storage in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn
- Managed Identity in AKS:
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-02-26T15:43:23.87+00:00 Agreed. This whole thing is wildly confusing and results in me contacting support every single time. The documentation is scattered and conflicting. Not only that, it is almost exclusively tailored to self-install, with very little documentation on how using the MANAGED driver differs.
Sign in to comment
2 answers
Sort by: Most helpful
-
Sumarigo-MSFT 47,511 Reputation points Microsoft Employee Moderator
2024-11-07T05:26:41.1033333+00:00 @Andrej I appreciate the time and patience. Thank you. We have made the changes, please refer to the below link:
https://github.com/Azure/AKS/issues/3432#issuecomment-2430629778
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
-
Andrej 11 Reputation points
2024-11-11T00:50:31.0333333+00:00 Hi @Sumarigo-MSFT - thank you for your efforts. Unfortunately the comment in the GitHub issue is not really an answer. We really need a timeline for when below will be supported and relevant mslearn documentation updated:
"Azure file csi driver does not support workload identity or managed identity, and azure file team are still working on that feature."
Are you able to clarify the timeline for above with the azure file team?
-
Sumarigo-MSFT 47,511 Reputation points Microsoft Employee Moderator
2024-11-15T05:43:52.4733333+00:00 @Andrej We do not have an ETA to share for Public Preview for now . You can subscribe to Azure Updates Get the latest updates on Azure products and features to meet your cloud investment needs. Subscribe to notifications to stay informed.
Latest Azure UpdatesFeed of consolidated latest updates from all most important official sources, sorted by date of publishing. Subscribe to / export latest updates: RSS or CSV, read about latest GA/ Previews: **Report.
**
I’ll update you as soon as I receive the timeline from the product team.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Sign in to comment -