Skip to content

Commit e7c1763

Browse files
andyzhangxandyzhangx
authored
Revise prerequisites for workload identity static PV mount
Updated prerequisites and instructions for using workload identity with static PV mount, including changes to role assignments and environment variable exports.
1 parent 43feb4a commit e7c1763

File tree

1 file changed

+6
-5
lines changed

1 file changed

+6
-5
lines changed

docs/workload-identity-static-pv-mount.md

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
- grant `Storage Blob Data Contributor` role instead of `Storage Account Contributor` role to the managed identity
1010

1111
## Prerequisites
12-
### 1. Create a cluster with oidc-issuer enabled and get the credential
12+
### 1. Create a cluster with oidc-issuer enabled and get the AKS cluster credential
1313

1414
Refer to the [documentation](https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer#create-an-aks-cluster-with-oidc-issuer) for instructions on creating a new AKS cluster with the `--enable-oidc-issuer` parameter and get the AKS credentials. And export following environment variables:
1515
```console
@@ -19,14 +19,14 @@ export REGION=<your region>
1919
```
2020

2121
### 2. Bring your own storage account and storage container
22-
Refer to the [documentation](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-cli) for instructions on creating a new storage account and container, or alternatively, utilize your existing storage account and container. And export following environment variables:
22+
Refer to the [documentation](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-cli) for instructions on creating a new storage account and container, or alternatively, utilize your existing storage account and container. And export following environment variables:
2323
```console
2424
export STORAGE_RESOURCE_GROUP=<your storage account resource group>
2525
export ACCOUNT=<your storage account name>
26-
export CONTAINER=<your storage container name>
26+
export CONTAINER=<your storage container name> # optional
2727
```
2828

29-
### 3. Create or bring your own managed identity and role assignment
29+
### 3. Create or bring your own managed identity and grant role to the managed identity
3030
> you could leverage the default user assigned managed identity bound to the AKS agent node pool(with naming rule [`AKS Cluster Name-agentpool`](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#summary-of-managed-identities)) in node resource group
3131
```console
3232
export UAMI=<your managed identity name>
@@ -46,7 +46,7 @@ az role assignment create --role "Storage Account Contributor" --assignee $USER_
4646
az role assignment create --role "Storage Account Contributor" --assignee $USER_ASSIGNED_CLIENT_ID --scope $ACCOUNT_SCOPE
4747
```
4848

49-
### 4. Create service account on AKS
49+
### 4. Create a service account on AKS
5050
```
5151
export SERVICE_ACCOUNT_NAME=<your sa name>
5252
export SERVICE_ACCOUNT_NAMESPACE=<your sa namespace>
@@ -71,6 +71,7 @@ az identity federated-credential create --name $FEDERATED_IDENTITY_NAME \
7171
--issuer $AKS_OIDC_ISSUER \
7272
--subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}
7373
```
74+
7475
## option#1: dynamic provisioning with storage class
7576
```yaml
7677
cat <<EOF | kubectl apply -f -

0 commit comments

Comments
 (0)