Hi all was curious on how to setup a managed identity in Azu lakeFS #help

Hi all, was curious on how to setup a managed iden...

Ion

02/21/2024, 2:36 PM

Hi all, was curious on how to setup a managed identity in Azure on LakeFS, I can't entirely follow how to setup the deployment. For service principal it was clear though to set envvars

Idan Novogroder

02/21/2024, 2:48 PM

Hi Ion, Did you try this one? https://docs.lakefs.io/howto/deploy/azure.html#2-authentication-method

Ion

02/21/2024, 2:55 PM

It's not entirely clear, I just need to set AZURE_CLIENT_ID only and then it magically works?

Idan Novogroder

02/21/2024, 3:09 PM

It is more than AZURE_CLIENT_ID. First option, using identity-based auth:

Copy code

AZURE_CLIENT_ID      =  $appId
AZURE_TENANT_ID      =  $tenant
AZURE_CLIENT_SECRET  =  $password

Second option, using storage account creds:

Copy code

blockstore.azure.storage_account
blockstore.azure.storage_access_key

Ion

02/21/2024, 4:03 PM

The link indicates you can use a managed identity, but there is no guide on how

Ion

02/21/2024, 4:04 PM

The first one you mentioned is using a service principal which what we do know

Idan Novogroder

02/21/2024, 5:39 PM

Can you elevate a little bit about what you are trying to do? Do you try to run lakeFS on AKS? If so, creating a managed identity with

Storage Blob Data Contributor

role for your storage account should work. You just will need to set up Azure as your block store and type and configure your storage account. It can be done by setting env vars like this:

Copy code

LAKEFS_BLOCKSTORE_TYPE=azure
LAKEFS_BLOCKSTORE_AZURE_STORAGE_ACCOUNT=<YourAzureStorageAccountName>

Or using your

lakefs.yaml

config file like this:

Copy code

blockstore:
  type: azure
  azure:
    storage_account: <YourAzureStorageAccountName>

Ion

02/21/2024, 5:41 PM

Yes LakeFS on AKS, the managed identity already has this RBAC on the required storage accounts. One thing that's unclear is how do I tell lakefs to use that managed identity

Idan Novogroder

02/21/2024, 5:48 PM

If your AKS is configured with a system-assigned managed identity, lakeFS will automatically use this identity for Azure resource access. If multiple user-assigned managed identities are assigned to your service, you can specify which identity lakeFS should use by setting the

AZURE_CLIENT_ID

environment variable to the client ID of the managed identity.

Idan Novogroder

02/21/2024, 5:56 PM

Out of curiosity, I know there are different ways to assign web identities to pods in AKS. However, they are less intuitive compared to AWS. Can you please share the method you choose?

Ion

02/21/2024, 5:58 PM

Yeah I don't believe the cluster is set up that way, since its shared across multiple teams

Idan Novogroder

02/21/2024, 6:06 PM

There also ways to assign managed identities to specific pods

Idan Novogroder

02/21/2024, 6:07 PM

https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity

Ion

02/21/2024, 6:09 PM

Interesting! Thanks for the share

Idan Novogroder

02/21/2024, 6:14 PM

Sure! Please let me know if you managed to make it work for you!

Open in Slack

Previous Next