Share via

Azure Blob NFS managed identity

Kaalasurya 20 Reputation points
2025-06-19T10:45:00.04+00:00

We are using azure blob nfs for storage class and pvc. Here we are facing some authorization issues with default identity when it is trying to create container. We can give permission to the default identity and hopefully fix that. But in azure is there way to use dedicated managed user identity or service principal for azure blob NFS. As per documentation it is only available for fuse and not for NFS. For NFS only default identity is possible? Thanks

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,447 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator
    2025-06-19T14:46:12.5066667+00:00

    Hi Kaalasurya

    Azure Blob NFS 3.0 only supports the default Azure Kubernetes Service (AKS) node identity, system-assigned managed identity of the VM/VMSS) for container creation and access.

    User-assigned managed identities or service principals are not supported for Blob NFS authentication.

    you can grant permissions to the default identity associated with the resource, that is mounting the NFS share.

    To allow container creation and access, assign appropriate RBAC roles to the storage account’s system-managed identity

    Find the system-managed identity’s object ID and assign Storage Blob Data Contributor role

    User's image

    Blob Fuse (FUSE): Blob Fuse is a virtual file system driver that allows you to mount Azure Blob Storage as a file system in Linux. It uses the Azure Storage REST API for all operations. The REST API supports Azure Active Directory (Microsoft Entra ID) authentication, which means you can use both system-assigned and user-assigned managed identities, or even service principals, to securely access blob data.

    NFS Protocol: Azure Blob NFS (NFS 3.0) exposes blob storage through the NFS protocol, which is a legacy file-sharing protocol designed for on-premises environments. NFS does not natively support user-based authentication or identity-based access control.

    Please refer these documents:
    https://learn.microsoft.com/en-us/azure/storage/blobs/network-file-system-protocol-known-issues
    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

    If you have any further queries, let me know. If the information is helpful, please click on Upvote.

    Thank you.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.