Hi all, wondering if anyone has been able to mount an Azure file share from an Azure Container Instance using identity-based authorization/RBAC instead of a storage account key?

from pulumi_azure_native import storage, resources
from pulumi_azure_native.authorization import RoleAssignment
from pulumi_azure_native.storage import StorageAccount, FileShare
from pulumi_azure_native.containerinstance import ContainerGroup, VolumeMountArgs, ContainerArgs

SUBSCRIPTION_ID = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
STORAGE_BLOB_DATA_CONTRIBUTOR = "ba92f5b4-2d11-453d-a403-e96b0029c9fe"

resource_group = resources.ResourceGroup("ResourceGroup")

storage_account = StorageAccount(
    "Storage",
    minimum_tls_version="TLS1_2",
    account_name="storageacct",
    allow_blob_public_access=False,
    allow_shared_key_access=False,
    resource_group_name=resource_group.name,
    sku=storage.SkuArgs(name=storage.SkuName.STANDARD_LRS),
    kind=storage.Kind.STORAGE_V2,
    azure_files_identity_based_authentication={
        "directory_service_options": "AADDS",
        "default_share_permission": "StorageFileDataSmbShareContributor"
    }
)

fileshare = FileShare(
    "Fileshare",
    share_name="fileshare",
    account_name=storage_account.name,
    resource_group_name=resource_group.name,
    share_quota=1
)

caddy_container = ContainerArgs(
    name="caddy",
    image="caddy",
    resources={"requests": {"memory_in_gb": .5, "cpu": .5}},
    ports=[{"port": 80}, {"port": 443}],
    volume_mounts=[
        VolumeMountArgs(mount_path="/config", name="caddy-config", read_only=False),
    ],
)

container_group = ContainerGroup(
    "ContainerGroup",
    container_group_name="container-group",
    containers=[caddy_container],
    ip_address={
        "ports": [{"port": 80}, {"port": 443}],
        "type": "Public",
        "dns_name_label": "label",
        "auto_generated_domain_name_label_scope": "unsecure"
    },
    os_type="Linux",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    restart_policy="OnFailure",
    volumes=[{
        "name": "caddy-config",
        "azure_file": {
            "share_name": fileshare.name,
            "storage_account_name": storage_account.name,
            "read_only": False,
        }
    }],
    identity={"type": "SystemAssigned"},
)

role_assignment = RoleAssignment(
    "RoleAssignment",
    scope=storage_account.id,
    role_definition_id=f"/subscriptions/{SUBSCRIPTION_ID}/providers/Microsoft.Authorization/roleDefinitions/{STORAGE_BLOB_DATA_CONTRIBUTOR}",
    principal_id=container_group.identity.apply(lambda identity: identity.principal_id),
    principal_type="ServicePrincipal"
)

The above code gives the error

Diagnostics:
  pulumi:pulumi:Stack (test):
    error: update failed

  azure-native:containerinstance:ContainerGroup (TestContainerGroup):
    error: Code="InvalidStorageAccountKey" Message="The Azure storage account key in volume 'caddy-config' is invalid."

Only Access Keys are supported for Azure File Shares in Container Instances. RBAC for File Shares is only supported on domain joined Windows clients I believe. And btw. Storage Account Blobs != Storage Account Files – since I saw you were trying to assign Storage Blog Data contributor role

Oh thanks. So I guess the proper role would be

Storage File Data SMB Share Contributor

then.

Yes if RBAC would be supported which it isn't

Gotcha. Is this what you were referring to above for Windows clients?