When will the Azure Storage FUSE driver (Blobfuse2) support MS Entra Workload Id for mounting to AKS?

Andrej 6

This GitHub issue details the issue many customers are experiencing attempting to mount Azure Blob Storage to AKS Pods, using Managed Identity (MS Entra Workload Id) and the Azure Storage FUSE driver (Blobfuse2): https://github.com/Azure/AKS/issues/3432#issuecomment-2377117830

Existing documentation is confusing for customers and does not mention the current issues as limitations nor when they will be resolved. For example mounting is NOT supported using Managed Identity, instead the underlying implementation requires elevated Azure Blob Storage privileges (Contributor Role), which many highly regulated customers see as increasing the security risk posture.

Sumarigo-MSFT 47,101 Reputation points Microsoft Employee

2024-09-28T04:59:21.2766667+00:00
@Andrej Thanks for raising this good question. I’m checking on this internally with the product & Content team and will get back to you with something concrete.

Additional information:

Managed Identity in AKS:

Managed identities for Azure resources are the recommended way to authorize access from an AKS cluster to other Azure services. However, there are limitations and specific configurations required to make it work seamlessly

The Azure Kubernetes Service (AKS) clusters require a Microsoft Entra identity to access Azure resources like load balancers and managed disks Use a managed identity in Azure Kubernetes Service (AKS)

Field Tips for AKS Storage Provisioning:

There are steps to use Managed Identity for accessing Azure Blob Storage using BlobFuse on AKS, but these steps are not straightforward and require careful implementation Field tips for AKS storage provisioning | Argon Systems

Persistent Volume with Azure Blob Storage:

Creating a persistent volume with Azure Blob Storage for use with multiple concurrent pods in AKS involves enabling the Blob storage CSI driver on your AKS cluster Create a persistent volume with Azure Blob storage in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn

1 answer

Sumarigo-MSFT 47,101 Reputation points Microsoft Employee

2024-11-07T05:26:41.1033333+00:00

@Andrej I appreciate the time and patience. Thank you. We have made the changes, please refer to the below link:

https://github.com/Azure/AKS/issues/3432#issuecomment-2430629778

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
Andrej 6 Reputation points

2024-11-11T00:50:31.0333333+00:00

Hi @Sumarigo-MSFT - thank you for your efforts. Unfortunately the comment in the GitHub issue is not really an answer. We really need a timeline for when below will be supported and relevant mslearn documentation updated:

"Azure file csi driver does not support workload identity or managed identity, and azure file team are still working on that feature."

Are you able to clarify the timeline for above with the azure file team?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

When will the Azure Storage FUSE driver (Blobfuse2) support MS Entra Workload Id for mounting to AKS?

1 answer

Your answer