Trouble Mounting Azure File Share in Kubernetes with UAMI: "Failed to Get Account Name from CSI" Error

Question

I'm facing an issue with mounting an Azure File Share in a Kubernetes cluster using User-Assigned Managed Identity (UAMI). Although I already have the Azure File CSI driver installed and it is running correctly, I keep encountering the error:

Events:
  Type     Reason       Age                From               Message
  ----     ------       ----               ----               -------
  Normal   Scheduled    45s                default-scheduler  Successfully assigned default/mypod to aks-agentpool-xxxx
  Warning  FailedMount  14s (x7 over 46s)  kubelet            MountVolume.SetUp failed for volume "azure" : rpc error: code = InvalidArgument desc = failed to get account name from csi-xxx

Here's what I've tried so far:

1. Verified UAMI Permissions:UAMI has “Storage Account Contributor" role on the Azure storage account.

2. Checked AzureIdentity and AzureIdentityBinding in Kubernetes: Ensured that these resources are correctly configured. The AzureIdentity has the correct clientID and resourceID, and the AzureIdentityBinding’s selector matches the aadpodidbinding label in my pod.

3. Pod Configuration: My pod has the correct aadpodidbinding label. The pod.yaml is configured to use SMB protocol

4. CSI Driver Logs: I am unable to retrieve logs from the Azure File CSI driver pods. Running kubectl logs -l app=csi-azurefile -n kube-system returns "No resources found in kube-system namespace," even though the pods are present and running.

5. Pod Events: Reviewed events for the pod but didn't find specific clues pointing to the root cause of the issue.

I think the issue might be related to UAMI authentication or Azure File CSI driver configuration but am unable to pinpoint the exact cause. The fact that I can't access the CSI driver logs is also puzzling.

Any insights or suggestions on how to resolve this or further diagnose the issue would be greatly appreciated.

Answer 1

To mount an Azure File Share on a Kubernetes cluster using a User-Assigned Managed Identity, you should start by creating an AKS cluster with user assigned managed identity.

This can be achieved using the following Azure CLI command-

az aks create -g <YourResourceGroup> -n <YourManagedClusterName> --enable-managed-identity

You can verify the same using az identity show --ids

or from portal

Next comes the Azure file share mounting part.

Go to your cluster, determine your cluster's resource group name by using the az aks show command with the --query nodeResourceGroup parameter.

az aks show --resource-group YourResourceGroup --name YourManagedAKSClusterName --query nodeResourceGroup -o tsv

Output:

Next, create a storage account :

az storage account create -n <YourAKSStorageAccountName> -g <YournodeResourceGroupName> -l <yourchoiceOflocation> --sku Standard_LRS

Following this, declare the storage account connection string as an environment variable for future use in file share creation:

export AZURE_STORAGE_CONNECTION_STRING=$(az storage account show-connection-string -n storageAccountName -g resourceGroupName -o tsv)

Proceed to create the file share, replacing shareName with your chosen name:

az storage share create -n shareName --connection-string $AZURE_STORAGE_CONNECTION_STRING

Output

Export the storage account key:

STORAGE_KEY=$(az storage account keys list --resource-group nodeResourceGroupName --account-name <youraksstorageaccountname> --query "[0].value" -o tsv)

Use these credentials to create a Kubernetes secret. you will need these values when creating the Kubernetes volume. kubectl create secret

output

Mount file share as a persistent volume, the default value for fileMode and dirMode is 0777.

Next, setup the persistent volume and claim by applying the configuration accordingly.

apiVersion: v1
kind: PersistentVolume
metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: file.csi.azure.com
  name: azurefile
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: azurefile-csi
  csi:
    driver: file.csi.azure.com
    volumeHandle: unique-volumeid  # make sure this volumeid is unique for every identical share in the cluster
    volumeAttributes:
      resourceGroup: resourceGroupName  # optional, only set this when storage account is not in the same resource group as node
      shareName: aksshare
    nodeStageSecretRef:
      name: azure-secret
      namespace: default
  mountOptions:
    - dir_mode=0777
    - file_mode=0777
    - uid=0
    - gid=0
    - mfsymlinks
    - cache=strict
    - nosharesock
    - nobrl

kubectl create -f azurefiles-pv.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: azurefile
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: azurefile-csi
  volumeName: azurefile
  resources:
    requests:
      storage: 5Gi

kubectl apply -f azurefiles-mount-options-pvc.yaml

Confirm the creation and binding of the PVC:

kubectl get pvc azurefile

output

Update your container specifications to integrate the PVC.

Reference Document: Ms Doc Ms Doc Mount File share guide Similar thread