Search code examples
azure-aksterraform-provider-azureazure-filesazure-storage-accountaad-pod-identity

Secure access Azure file share with pod identities


I used Azure files to share storage between many pods in AKS.

In this Cluster we have multiple applications, I want access to this storage to be secure, each storage account is accessible only via one user managed identity assigned to these pods :

  • use pod identities
  • Assign "Storage File Data SMB Share Contributor" role to our Managed Identity.

option1: using pod-identity, when we create a storage class and persistent volume claim it automatically creates the PV and storage account, so how to dynamically retrieve the name of this storage account? (IaC with Terraform)

option2: without using pod-identities, how can we secure access to this storage account from pods?


Solution

  • option1:

    1. You can create the Storage Account beforehand, assign the role on the Storage Account and use the StorageClass storageAccount parameter to use it instead of creating a new one.

    2. You can create a Resource Group beforehand, assign the role at the scope of the Resource Group and then specify that Resource Group with the the resourceGroup StorageClass parameter to make sure the storage account is created in this Resource Group.

    option2:

    1. You will have to use a Service Principal or the Storage Account Access Key. You can either get them from a Vault (Ex : Azure Key Vault, using CSI Driver) or stored them in Kubernetes Secret.