Reputation: 149
Kubernetes use Azure Blob Storage
How do I create a secret to access Azure Blob storage if I am using SAS token authentication mode?
{
"account_name": "<value>",
"container_name": "<value>",
"container_uri": "<value>",
"region": "<value>",
"sas_token": "<value>"
}
I cannot find any information about this on the docs
Upvotes: 0
Views: 725
Answers (1)
Reputation: 20547
You create a SAS from the protal or via az cli:
AZURE_RESOURCE_GROUP="my-rg"
AZURE_STORAGE_ACCOUNT="my-sa"
export AZURE_STORAGE_CONNECTION_STRING="$(az storage account show-connection-string \
--name "$AZURE_STORAGE_ACCOUNT" \
--resource-group "$AZURE_RESOURCE_GROUP" \
-o tsv)"
AZURE_STORAGE_SAS_TOKEN="$(az storage account generate-sas \
--services b \
--resource-types co \
--permissions dlpruwac \
--expiry "$(date -d '+7 days' '+%FT%H:%MZ')" \
-o tsv)"
Note the --services, --resource-types and --permissions flags. In the above example the token was generated for blob storage, on container & objects within the container with the permissions: delete, list, process, read, update, write, add & create.
--permissions [Required] : The permissions the SAS grants. Allowed values: (a)dd (c)reate
(d)elete (f)ilter_by_tags (i)set_immutability_policy (l)ist
(p)rocess (r)ead (t)ag (u)pdate (w)rite (x)delete_previous_version
(y)permanent_delete. Can be combined.
--resource-types [Required] : The resource types the SAS is applicable for. Allowed values:
(s)ervice (c)ontainer (o)bject. Can be combined.
--services [Required] : The storage services the SAS is applicable for. Allowed values:
(b)lob (f)ile (q)ueue (t)able. Can be combined.
See more info with az storage account generate-sas --help.
Once you have the token you can create the secret (Note, you need the variables from the previous code snippet).
AZURE_STORAGE_ACCOUNT_CONTAINER="<my-container>"
jq -n \
--arg account_name "$AZURE_STORAGE_ACCOUNT" \
--arg container_name "$AZURE_STORAGE_ACCOUNT_CONTAINER" \
--arg container_uri "$(az storage account show -n "$AZURE_STORAGE_ACCOUNT" -g "$AZURE_RESOURCE_GROUP" --query primaryEndpoints.blob -o tsv)$AZURE_STORAGE_ACCOUNT_CONTAINER" \
--arg region "$(az storage account show -n "$AZURE_STORAGE_ACCOUNT" -g "$AZURE_RESOURCE_GROUP" --query primaryLocation -o tsv)" \
--arg sas_token "$AZURE_STORAGE_SAS_TOKEN" '{
"account_name": $account_name,
"container_name": $container_name,
"container_uri": $container_uri,
"region": $region,
"sas_token": $sas_token
}' |
kubectl create secret generic storage-account --from-file=data.json=/dev/stdin
You can change the name of the secret and the file name within the secret by modifying the kubectl command.
You also need to check if you should append the container name to the container uri yourself or if the library using this data is doing it. Above, I have added the container name, you may want to remove it from the uri.
If you dont need to append the container name to the uri, you could simplify the json generation like this below. Using a query to get multiple fields from az cli.
AZURE_STORAGE_ACCOUNT_CONTAINER="<my-container>"
az storage account show -n $AZURE_STORAGE_ACCOUNT -g $AZURE_RESOURCE_GROUP \
--query '{account_name:name,container_uri:primaryEndpoints.blob,region:primaryLocation}' |
jq --arg sas_token "$AZURE_STORAGE_SAS_TOKEN" --arg container_name "$AZURE_STORAGE_ACCOUNT_CONTAINER" \
'. + { "sas_token": $sas_token, "container_name": $container_name}' |
kubectl create secret generic storage-account --from-file=data.json=/dev/stdin
Upvotes: 1
Related Questions
- Access Azure blob storage from AKS
- Why is Fluentd Azure blob plugin not working in kubernetes
- How should I use Azure Blob Containers?
- Accessing Azure Storage Blob from an AKS cluster
- Access Azure Storage Blob as file system
- kubernetes create persistant volume over azure blob storage
- Azure blob storage
- Azure Storage and Data Management
- Azure Blob Containers
- Blob Storage Server with REST API