Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how to configure Cloud Ingest Edge Volumes with Workload Identity.
Prerequisites
Before you begin, ensure you read Cloud Ingest Edge Volumes configuration and meet the prerequisites listed there.
Configure Kubernetes cluster for Workload Identity
In order to use Workload Identity with Azure Container Storage enabled by Azure Arc, you must first enable the features for your Azure Arc Connected Kubernetes Cluster. Enable the OpenID Connect (OIDC) issuer and workload identity by running the following command:
az connectedk8s update --resource-group <RESOURCE_GROUP> --name <CLUSTER_NAME> --enable-oidc-issuer --enable-workload-identity
Next you need to configure your Kubernetes cluster to utilize workload identity:
Obtain the Issuer URL:
az connectedk8s show --resource-group <RESOURCE_GROUP> --name <CLUSTER_NAME> --query oidcIssuerProfile.issuerUrl --output tsvUse this issuer in /etc/rancher/k3s/config.yaml:
kube-apiserver-arg: - service-account-issuer=<SERVICE_ACCOUNT_ISSUER> - service-account-max-token-expiration=24hOnce you update the config.yaml, you need to restart K3s.
systemctl restart k3s
Create a User Assigned Managed Identity (UAMI)
You need to create a UAMI to federate with your Kubernetes cluster and grant role based access to your Storage Account or OneLake Lakehouse, for use with Azure Container Storage enabled by Azure Arc.
You can create a UAMI using Azure CLI with the following command:
az identity create --resource-group <RESOURCE_GROUP> --name <USER_ASSIGNED_IDENTITY_NAME> --location <LOCATION> --subscription <SUBSCRIPTION>
This command returns a client ID that you use later to federate the credential and configure Azure Container Storage.
Federate the UAMI
Add the UAMI to your EdgeStorageConfiguration Custom Resource Definition (CRD) for Azure Container Storage:
kubectl edit edgestorageconfiguration edge-storage-configurationAdd the following YAML in the
specsection after theserviceMesh:workloadIdentity: clientID: <CLIENT_ID_FROM_UAMI> tenantID: <TENANT_ID_FROM_UAMI>Next, federate your UAMI with the three required service accounts in the
azure-arc-containerstoragenamespace by editing and running the following Azure CLI commands:az identity federated-credential create --resource-group <RESOURCE_GROUP> --identity-name <USER_ASSIGNED_IDENTITY_NAME> --name acsa-csi-fed --issuer <OIDC_ISSUER> --subject system:serviceaccount:azure-arc-containerstorage:csi-wyvern-sa --audience api://AzureADTokenExchangeaz identity federated-credential create --resource-group <RESOURCE_GROUP> --identity-name <USER_ASSIGNED_IDENTITY_NAME> --name acsa-pv-fed --issuer <OIDC_ISSUER> --subject system:serviceaccount:azure-arc-containerstorage:wyvern-pv-sa --audience api://AzureADTokenExchangeaz identity federated-credential create --resource-group <RESOURCE_GROUP> --identity-name <USER_ASSIGNED_IDENTITY_NAME> --name acsa-operator-fed --issuer <OIDC_ISSUER> --subject system:serviceaccount:azure-arc-containerstorage:wyvern-operator-sa --audience api://AzureADTokenExchangeYou also need to add a role binding to the Storage Account you wish to use for the UAMI you created. Add the role Storage Blob Data Owner to the UAMI you created:
az role assignment create --assignee <USER_ASSIGNED_IDENTITY_ID> --role "Storage Blob Data Owner" --scope "/subscriptions/<SUBSCRIPTION>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGEACCOUNT>"
Create a Cloud Ingest Persistent Volume Claim (PVC) with Workload Identity
To create a Cloud Ingest Persistent Volume Claim (PVC) with Workload Identity, you can use the following example YAML file:
apiVersion: "arccontainerstorage.azure.net/v1"
kind: EdgeSubvolume
metadata:
name: acsa-pvc
spec:
edgevolume: acsa-pvc
path: exampleSubDir # If you change this path, line 33 in deploymentExample.yaml must be updated. Don't use a preceding slash.
subvolumeType: INGEST
auth:
authType: WORKLOAD_IDENTITY
storageaccountendpoint: ""
Continue with the steps in the Cloud Ingest Edge Volumes configuration guide, starting from the Create a Cloud Ingest Persistent Volume Claim (PVC) section and using the example provided here.