https://pulumi.com logo
#azure
Title
# azure
m

many-pager-46142

03/15/2024, 2:53 PM
Hi all, wondering if anyone has been able to mount an Azure file share from an Azure Container Instance using identity-based authorization/RBAC instead of a storage account key?
Copy code
from pulumi_azure_native import storage, resources
from pulumi_azure_native.authorization import RoleAssignment
from pulumi_azure_native.storage import StorageAccount, FileShare
from pulumi_azure_native.containerinstance import ContainerGroup, VolumeMountArgs, ContainerArgs

SUBSCRIPTION_ID = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
STORAGE_BLOB_DATA_CONTRIBUTOR = "ba92f5b4-2d11-453d-a403-e96b0029c9fe"

resource_group = resources.ResourceGroup("ResourceGroup")

storage_account = StorageAccount(
    "Storage",
    minimum_tls_version="TLS1_2",
    account_name="storageacct",
    allow_blob_public_access=False,
    allow_shared_key_access=False,
    resource_group_name=resource_group.name,
    sku=storage.SkuArgs(name=storage.SkuName.STANDARD_LRS),
    kind=storage.Kind.STORAGE_V2,
    azure_files_identity_based_authentication={
        "directory_service_options": "AADDS",
        "default_share_permission": "StorageFileDataSmbShareContributor"
    }
)

fileshare = FileShare(
    "Fileshare",
    share_name="fileshare",
    account_name=storage_account.name,
    resource_group_name=resource_group.name,
    share_quota=1
)

caddy_container = ContainerArgs(
    name="caddy",
    image="caddy",
    resources={"requests": {"memory_in_gb": .5, "cpu": .5}},
    ports=[{"port": 80}, {"port": 443}],
    volume_mounts=[
        VolumeMountArgs(mount_path="/config", name="caddy-config", read_only=False),
    ],
)

container_group = ContainerGroup(
    "ContainerGroup",
    container_group_name="container-group",
    containers=[caddy_container],
    ip_address={
        "ports": [{"port": 80}, {"port": 443}],
        "type": "Public",
        "dns_name_label": "label",
        "auto_generated_domain_name_label_scope": "unsecure"
    },
    os_type="Linux",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    restart_policy="OnFailure",
    volumes=[{
        "name": "caddy-config",
        "azure_file": {
            "share_name": fileshare.name,
            "storage_account_name": storage_account.name,
            "read_only": False,
        }
    }],
    identity={"type": "SystemAssigned"},
)

role_assignment = RoleAssignment(
    "RoleAssignment",
    scope=storage_account.id,
    role_definition_id=f"/subscriptions/{SUBSCRIPTION_ID}/providers/Microsoft.Authorization/roleDefinitions/{STORAGE_BLOB_DATA_CONTRIBUTOR}",
    principal_id=container_group.identity.apply(lambda identity: identity.principal_id),
    principal_type="ServicePrincipal"
)
The above code gives the error
Copy code
Diagnostics:
  pulumi:pulumi:Stack (test):
    error: update failed

  azure-native:containerinstance:ContainerGroup (TestContainerGroup):
    error: Code="InvalidStorageAccountKey" Message="The Azure storage account key in volume 'caddy-config' is invalid."
a

adventurous-butcher-54166

03/21/2024, 3:13 PM
Only Access Keys are supported for Azure File Shares in Container Instances. RBAC for File Shares is only supported on domain joined Windows clients I believe. And btw. Storage Account Blobs != Storage Account Files – since I saw you were trying to assign Storage Blog Data contributor role
m

many-pager-46142

03/21/2024, 8:11 PM
Oh thanks. So I guess the proper role would be
Storage File Data SMB Share Contributor
then.
a

adventurous-butcher-54166

03/21/2024, 8:11 PM
Yes if RBAC would be supported which it isn't
m

many-pager-46142

03/21/2024, 8:15 PM
Gotcha. Is this what you were referring to above for Windows clients?