fix: add mountWithWorkloadIdentityToken param

andyzhangx · andyzhangx · commit 154b0040c70c · 2025-05-06T13:55:20.000Z
diff --git a/docs/workload-identity-static-pv-mount.md b/docs/workload-identity-static-pv-mount.md
@@ -3,7 +3,7 @@
 
 ### Note
  - This feature is not supported for NFS mount since NFS mount does not need credentials.
- - This feature no longer retrieves storage account key using federated(workload) identity credentials starting from v1.25.4 or v1.26.1 and later versions, while it requires `Storage Blob Data Contributor` role on the account instead of `Storage Account Contributor` role.
+ - This feature would retrieve storage account key using federated identity credentials.
 
 ## Prerequisites
 ### 1. Create a cluster with oidc-issuer enabled and get the credential
@@ -33,7 +33,7 @@ export IDENTITY_TENANT=$(az aks show --name $CLUSTER_NAME --resource-group $RESO
 export ACCOUNT_SCOPE=$(az storage account show --name $ACCOUNT --query id -o tsv)
 
 # please retry if you meet `Cannot find user or service principal in graph database` error, it may take a while for the identity to propagate
-az role assignment create --role "Storage Blob Data Contributor" --assignee $USER_ASSIGNED_CLIENT_ID --scope $ACCOUNT_SCOPE
+az role assignment create --role "Storage Account Contributor" --assignee $USER_ASSIGNED_CLIENT_ID --scope $ACCOUNT_SCOPE
 ```
 
 ### 4. Create service account on AKS
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -100,6 +100,7 @@ const (
 	podNamespaceField              = "csi.storage.k8s.io/pod.namespace"
 	serviceAccountTokenField       = "csi.storage.k8s.io/serviceAccount.tokens"
 	clientIDField                  = "clientid"
+	mountWithWITokenField          = "mountwithworkloadidentitytoken"
 	tenantIDField                  = "tenantid"
 	mountOptionsField              = "mountoptions"
 	falseValue                     = "false"
@@ -490,6 +491,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		getAccountKeyFromSecret bool
 		getLatestAccountKey     bool
 		clientID                string
+		mountWithWIToken        bool
 		tenantID                string
 		serviceAccountToken     string
 	)
@@ -543,6 +545,10 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			}
 		case clientIDField:
 			clientID = v
+		case mountWithWITokenField:
+			if mountWithWIToken, err = strconv.ParseBool(v); err != nil {
+				return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("invalid %s: %s in volume context", mountWithWITokenField, v)
+			}
 		case tenantIDField:
 			tenantID = v
 		case strings.ToLower(serviceAccountTokenField):
@@ -574,20 +580,30 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 
 	// if client id is specified, we only use workload identity for blobfuse auth
 	if clientID != "" {
-		klog.V(2).Infof("clientID(%s) is specified, use workload identity for blobfuse auth", clientID)
+		if mountWithWIToken {
+			klog.V(2).Infof("clientID(%s) is specified, use workload identity for blobfuse auth", clientID)
 
-		workloadIdentityToken, err := parseServiceAccountToken(serviceAccountToken)
-		if err != nil {
-			return rgName, accountName, accountKey, containerName, authEnv, err
-		}
+			workloadIdentityToken, err := parseServiceAccountToken(serviceAccountToken)
+			if err != nil {
+				return rgName, accountName, accountKey, containerName, authEnv, err
+			}
 
-		authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
-		if tenantID != "" {
-			authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
-		}
-		authEnv = append(authEnv, "WORKLOAD_IDENTITY_TOKEN="+workloadIdentityToken)
+			authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
+			if tenantID != "" {
+				authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
+			}
+			authEnv = append(authEnv, "WORKLOAD_IDENTITY_TOKEN="+workloadIdentityToken)
 
-		return rgName, accountName, accountKey, containerName, authEnv, err
+			return rgName, accountName, accountKey, containerName, authEnv, err
+		} else {
+			klog.V(2).Infof("clientID(%s) is specified, use service account token to get account key", clientID)
+			if subsID == "" {
+				subsID = d.cloud.SubscriptionID
+			}
+			accountKey, err := d.cloud.GetStorageAccesskeyFromServiceAccountToken(ctx, subsID, accountName, rgName, clientID, tenantID, serviceAccountToken)
+			authEnv = append(authEnv, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
+			return rgName, accountName, accountKey, containerName, authEnv, err
+		}
 	}
 
 	// 1. If keyVaultURL is not nil, preferentially use the key stored in key vault.
diff --git a/pkg/blob/blob_test.go b/pkg/blob/blob_test.go
@@ -550,7 +550,23 @@ func TestGetAuthEnv(t *testing.T) {
 			name: "valid request",
 			testFunc: func(t *testing.T) {
 				d := NewFakeDriver()
-				attrib := make(map[string]string)
+				attrib := map[string]string{
+					subscriptionIDField:          "subID",
+					resourceGroupField:           "rg",
+					storageAccountField:          "accountname",
+					storageAccountNameField:      "accountname",
+					secretNameField:              "secretName",
+					secretNamespaceField:         "sNS",
+					containerNameField:           "containername",
+					mountWithWITokenField:        "false",
+					pvcNamespaceKey:              "pvcNSKey",
+					getAccountKeyFromSecretField: "false",
+					storageAuthTypeField:         "key",
+					msiEndpointField:             "msiEndpoint",
+					getLatestAccountKeyField:     "true",
+					tenantIDField:                "tenantID",
+					serviceAccountTokenField:     "serviceAccountToken",
+				}
 				secret := make(map[string]string)
 				volumeID := "rg#f5713de20cde511e8ba4900#pvc-fuse-dynamic-17e43f84-f474-11e8-acd0-000d3a00df41"
 				d.cloud = &storage.AccountRepo{}
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -189,6 +189,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case storageIdentityObjectIDField:
 		case storageIdentityResourceIDField:
 		case clientIDField:
+		case mountWithWITokenField:
 		case tenantIDField:
 		case msiEndpointField:
 		case storageAADEndpointField:
diff --git a/pkg/blob/controllerserver_test.go b/pkg/blob/controllerserver_test.go
@@ -440,6 +440,7 @@ func TestCreateVolume(t *testing.T) {
 				mp[storageAuthTypeField] = "msi"
 				mp[storageIdentityClientIDField] = "msi"
 				mp[clientIDField] = "clientID"
+				mp[mountWithWITokenField] = "true"
 				mp[tenantIDField] = "tenantID"
 				mp[storageIdentityObjectIDField] = "msi"
 				mp[storageIdentityResourceIDField] = "msi"
diff --git a/pkg/blob/nodeserver_test.go b/pkg/blob/nodeserver_test.go
@@ -249,6 +249,7 @@ func TestNodePublishVolume(t *testing.T) {
 				StagingTargetPath: sourceTest,
 				VolumeContext: map[string]string{
 					serviceAccountTokenField: `{"api://AzureADTokenExchange":{"token":"test-token","expirationTimestamp":"2023-01-01T00:00:00Z"}}`,
+					mountWithWITokenField:    "true",
 					clientIDField:            "client-id-value",
 				},
 			},
