https://lakefs.io/ logo
#help
Title
# help
i

Ion

02/21/2024, 2:36 PM
Hi all, was curious on how to setup a managed identity in Azure on LakeFS, I can't entirely follow how to setup the deployment. For service principal it was clear though to set envvars
i

Idan Novogroder

02/21/2024, 2:48 PM
i

Ion

02/21/2024, 2:55 PM
It's not entirely clear, I just need to set AZURE_CLIENT_ID only and then it magically works?
i

Idan Novogroder

02/21/2024, 3:09 PM
It is more than AZURE_CLIENT_ID. First option, using identity-based auth:
Copy code
AZURE_CLIENT_ID      =  $appId
AZURE_TENANT_ID      =  $tenant
AZURE_CLIENT_SECRET  =  $password
Second option, using storage account creds:
Copy code
blockstore.azure.storage_account
blockstore.azure.storage_access_key
i

Ion

02/21/2024, 4:03 PM
The link indicates you can use a managed identity, but there is no guide on how
The first one you mentioned is using a service principal which what we do know
i

Idan Novogroder

02/21/2024, 5:39 PM
Can you elevate a little bit about what you are trying to do? Do you try to run lakeFS on AKS? If so, creating a managed identity with
Storage Blob Data Contributor
role for your storage account should work. You just will need to set up Azure as your block store and type and configure your storage account. It can be done by setting env vars like this:
Copy code
LAKEFS_BLOCKSTORE_TYPE=azure
LAKEFS_BLOCKSTORE_AZURE_STORAGE_ACCOUNT=<YourAzureStorageAccountName>
Or using your
lakefs.yaml
config file like this:
Copy code
blockstore:
  type: azure
  azure:
    storage_account: <YourAzureStorageAccountName>
i

Ion

02/21/2024, 5:41 PM
Yes LakeFS on AKS, the managed identity already has this RBAC on the required storage accounts. One thing that's unclear is how do I tell lakefs to use that managed identity
i

Idan Novogroder

02/21/2024, 5:48 PM
If your AKS is configured with a system-assigned managed identity, lakeFS will automatically use this identity for Azure resource access. If multiple user-assigned managed identities are assigned to your service, you can specify which identity lakeFS should use by setting the
AZURE_CLIENT_ID
environment variable to the client ID of the managed identity.
Out of curiosity, I know there are different ways to assign web identities to pods in AKS. However, they are less intuitive compared to AWS. Can you please share the method you choose?
i

Ion

02/21/2024, 5:58 PM
Yeah I don't believe the cluster is set up that way, since its shared across multiple teams
i

Idan Novogroder

02/21/2024, 6:06 PM
There also ways to assign managed identities to specific pods
i

Ion

02/21/2024, 6:09 PM
Interesting! Thanks for the share
i

Idan Novogroder

02/21/2024, 6:14 PM
Sure! Please let me know if you managed to make it work for you!