diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go index f579f47e7..e1de75e18 100644 --- a/pkg/blob/blob.go +++ b/pkg/blob/blob.go @@ -84,6 +84,7 @@ const ( storageSPNClientIDField = "azurestoragespnclientid" storageSPNTenantIDField = "azurestoragespntenantid" storageAuthTypeField = "azurestorageauthtype" + storageAuthTypeMSI = "msi" storageIdentityClientIDField = "azurestorageidentityclientid" storageIdentityObjectIDField = "azurestorageidentityobjectid" storageIdentityResourceIDField = "azurestorageidentityresourceid" @@ -600,7 +601,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr if spnTenantID != "" { storageSPNTenantID = spnTenantID } - if err != nil && strings.EqualFold(azureStorageAuthType, "msi") { + if err != nil && strings.EqualFold(azureStorageAuthType, storageAuthTypeMSI) { klog.V(2).Infof("ignore error(%v) since secret is optional for auth type(%s)", err, azureStorageAuthType) err = nil } @@ -673,6 +674,23 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+storageSPNTenantID) } + if azureStorageAuthType == storageAuthTypeMSI { + // check whether authEnv contains AZURE_STORAGE_IDENTITY_ prefix + containsIdentityEnv := false + for _, env := range authEnv { + if strings.HasPrefix(env, "AZURE_STORAGE_IDENTITY_") { + klog.V(2).Infof("AZURE_STORAGE_IDENTITY_ is already set in authEnv, skip setting it again") + containsIdentityEnv = true + break + } + } + if !containsIdentityEnv && d.cloud != nil && d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID != "" { + klog.V(2).Infof("azureStorageAuthType is set to %s, add AZURE_STORAGE_IDENTITY_CLIENT_ID(%s) into authEnv", + azureStorageAuthType, d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID) + authEnv = append(authEnv, "AZURE_STORAGE_IDENTITY_CLIENT_ID="+d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID) + } + } + return rgName, accountName, accountKey, containerName, authEnv, err }