Using Workload Idenity to Access Azure Blob Storage

In this post we'll show the steps needed to create an AKS cluster, enabled with Azure Workload Identity and then we'll build a sample dotnet app that writes files to Azure Blob Storage

Posted on: Dec 19, 2023

#Steve Griffith

Twitter: @SteveGriffith
GitHub: @swgriffith

Steve Griffith is a Principal Cloud Architect at Microsoft, on the Digital and App Innovation, Azure Global Black Belt Team.

#Workload Identity to Blob Storage

The following walkthrough shows how you can using Azure Workload Identity with the AKS Workload Identity add-on along with MSAL to access an Azure Blob Storage Account.

#Cluster Creation

Now lets create the AKS cluster with the OIDC Issuer and Workload Identity add-on enabled.

RG=WorkloadIdentityRG
LOC=eastus
CLUSTER_NAME=wilab
UNIQUE_ID=$CLUSTER_NAME$RANDOM
ACR_NAME=$UNIQUE_ID
STORAGE_ACCT_NAME=griffdemo

# Create the resource group
az group create -g $RG -l $LOC

# Create the cluster with the OIDC Issuer and Workload Identity enabled
az aks create -g $RG -n $CLUSTER_NAME \
--node-count 1 \
--enable-oidc-issuer \
--enable-workload-identity \
--generate-ssh-keys

# Get the cluster credentials
az aks get-credentials -g $RG -n $CLUSTER_NAME

#Set up the identity

In order to federate a managed identity with a Kubernetes Service Account we need to get the AKS OIDC Issure URL, create the Managed Identity and Service Account and then create the federation.

# Get the OIDC Issuer URL
export AKS_OIDC_ISSUER="$(az aks show -n $CLUSTER_NAME -g $RG --query "oidcIssuerProfile.issuerUrl" -otsv)"

# Create the managed identity
az identity create --name wi-demo-identity --resource-group $RG --location $LOC

# Get identity client ID
export USER_ASSIGNED_CLIENT_ID=$(az identity show --resource-group $RG --name wi-demo-identity --query 'clientId' -o tsv)

# Create a service account to federate with the managed identity
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}
  labels:
    azure.workload.identity/use: "true"
  name: wi-demo-sa
  namespace: default
EOF

# Federate the identity
az identity federated-credential create \
--name wi-demo-federated-id \
--identity-name wi-demo-identity \
--resource-group $RG \
--issuer ${AKS_OIDC_ISSUER} \
--subject system:serviceaccount:default:wi-demo-sa

#Create the Blob Storage Account

# Create a blob storage account
az storage account create \
--name $STORAGE_ACCT_NAME \
--resource-group $RG \
--location $LOC \
--sku Standard_LRS \
--encryption-services blob

# Get the resource ID of the storage account
STORAGE_ACCT_ID=$(az storage account show -g $RG -n $STORAGE_ACCT_NAME --query id -o tsv)

# Get the current signed in user ID
CURRENT_USER=$(az ad signed-in-user show --query id -o tsv)

# Grant the current user contributor rights for testing
az role assignment create \
--role "Storage Blob Data Contributor" \
--assignee $CURRENT_USER \
--scope "${STORAGE_ACCT_ID}"

# Grant the managed identity contributor rights
az role assignment create \
--role "Storage Blob Data Contributor" \
--assignee $USER_ASSIGNED_CLIENT_ID \
--scope "${STORAGE_ACCT_ID}"

# Create a storage account container with login auth mode enabled
az storage container create --account-name $STORAGE_ACCT_NAME --name data --auth-mode login

#Create the sample app

# Create and test a new console app
dotnet new console -n blob-console-app
cd blob-console-app
dotnet run

# Add the Key Vault and Azure Identity Packages
dotnet add package Azure.Storage.Blobs
dotnet add package Azure.Identity

Edit the app as follows:

using Azure.Storage.Blobs;
using Azure.Storage.Blobs.Models;
using System;
using System.IO;
using Azure.Identity;

class Program
    {
        static void Main(string[] args)
        {
          // Get Storage Account Name
          string? storageAcctName = Environment.GetEnvironmentVariable("STORAGE_ACCT_NAME");;
          // Get the Storage Container Name
          string? containerName = Environment.GetEnvironmentVariable("CONTAINER_NAME");;

          // Check values for null or empty
          if (string.IsNullOrEmpty(storageAcctName)||string.IsNullOrEmpty(containerName))
          {
            Console.WriteLine("Storage Account or Container Name are null or empty");
            Environment.Exit(0);
          }

          while (true)
          {
            MainAsync(storageAcctName,containerName).Wait();
            System.Threading.Thread.Sleep(5000);
          }

        }

        static async Task MainAsync(string storageAcctName, string containerName)
        {
          var blobServiceClient = new BlobServiceClient(
                  new Uri(String.Format("https://{0}.blob.core.windows.net",storageAcctName)),
                  new DefaultAzureCredential());

          BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);

          // Create a local file in the ./data/ directory for uploading and downloading
          string localPath = "data";
          Directory.CreateDirectory(localPath);
          string fileName = Guid.NewGuid().ToString() + ".txt";
          string localFilePath = Path.Combine(localPath, fileName);

          // Write text to the file
          await File.WriteAllTextAsync(localFilePath, "Hello, World!");

          // Get a reference to a blob
          BlobClient blobClient = containerClient.GetBlobClient(fileName);

          Console.WriteLine("Uploading to Blob storage as blob:\n\t {0}\n", blobClient.Uri);

          // Upload data from the local file
          await blobClient.UploadAsync(localFilePath, true);
        }

    }

Create a new Dockerfile with the following:

FROM mcr.microsoft.com/dotnet/sdk:7.0 AS build-env
WORKDIR /App

# Copy everything
COPY . ./
# Restore as distinct layers
RUN dotnet restore
# Build and publish a release
RUN dotnet publish -c Release -o out

# Build runtime image
FROM mcr.microsoft.com/dotnet/aspnet:7.0
WORKDIR /App
COPY --from=build-env /App/out .
ENTRYPOINT ["dotnet", "blob-console-app.dll"]

Build the image. I’ll create an Azure Container Registry and build there, and then link that ACR to my AKS cluster.

# Create the ACR
az acr create -g $RG -n $ACR_NAME --sku Standard

# Build the image
az acr build -t wi-blob-test -r $ACR_NAME .

# Link the ACR to the AKS cluster
az aks update -g $RG -n $CLUSTER_NAME --attach-acr $ACR_NAME

Now deploy a pod that runs our blob storage app using the service account identity.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: wi-blob-test
  namespace: default
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: wi-demo-sa
  containers:
    - image: ${ACR_NAME}.azurecr.io/wi-blob-test
      name: wi-blob-test
      env:
      - name: STORAGE_ACCT_NAME
        value: ${STORAGE_ACCT_NAME}
      - name: CONTAINER_NAME
        value: data
  nodeSelector:
    kubernetes.io/os: linux
EOF

# Check the pod logs
kubectl logs -f wi-blob-test

# Sample Output
Uploading to Blob storage as blob:
	 https://griffdemo.blob.core.windows.net/data/quickstart3efa9a81-9672-4617-a6ff-f11fb93d7c84.txt

Uploading to Blob storage as blob:
	 https://griffdemo.blob.core.windows.net/data/quickstart23968d6b-80c5-4c82-8bcf-860fa00edbd3.txt

Uploading to Blob storage as blob:
	 https://griffdemo.blob.core.windows.net/data/quickstart0e20e7ef-c3ba-4fd3-a3d5-c27579d2ba96.txt

#Conclusion

Congrats! You should now have a working pod that uses MSAL along with a Kubernetes Service Account federated to an Azure Managed Identity to access Azure Blob Storage.