CycleCloud unable to access storage locker after disabling "Allow storage account key access"

Question

We have several CycleCloud/Slurm clusters running in Azure using Managed Identity. A recent security initiative has required us to disable the "Allow storage account key access" storage account configuration. After doing so, CycleCloud is unable to read from the storage locker/container. We receive a Http Status 403 in the cycle_server.log. I suspect cycle server requires us to have this configuration enabled.

Is it possible to use CycleCloud with a storage account that has "Allow storage account key access" disabled?

CycleCloud Version: 8.6.1-3248

Answer 1

Hi Devin Payne - Thanks for reaching out.

Disable the account keys access would disable the auth coming via Shared Keys , Account or Service SAS and the calls shall return a 403 during authorization.

https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal

However you mentioned that you are using MI so there appears to be some configuration which might be using access keys and hence resulting into failure.

You can start by enabling the diagnostic logging to check the auth method being passed. if you observe auth method other that OAUTH (i.e. AD) such as Shared Key or SAS this shall help in isolation.

https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

Hope that helps!