AKS icon indicating copy to clipboard operation
AKS copied to clipboard
verified publisher icon Azure

[Feedback] Azure Container Storage is asking the permission over the whole subscription

Open JoeyC-Dev opened this issue 1 year ago • 4 comments

Describe your scenario A clear and concise description of what your scenario is.

When trying to create the StoragePool when following tutorial, received the error message like below:

Azure Elastic SAN creation failed: The client '00000000-0000-0000-0000-000000000000 with object id '00000000-0000-0000-0000-000000000000' does not have authorization to perform action 'Microsoft.ElasticSan/register/action' over scope '/subscriptions/00000000-0000-0000-0000-000000000000' or the scope is invalid. If access was recently granted, please refresh your credentials.

This is surely asking me to assign role to the identity on subscription-level, instead of resource group.

Feedback Isn't this scope of role assignment too large? This brought the security concern.

JoeyC-Dev avatar Feb 11 '25 09:02 JoeyC-Dev

"This issue has been automatically marked as stale because it has not had any activity for 14 days. It will be closed if no further activity occurs within 7 days of this comment."

JoeyC-Dev avatar Mar 20 '25 10:03 JoeyC-Dev

Hi @JoeyC-Dev Could you please share the command you are running to install Azure Container Storage?

mukhoakash avatar Mar 21 '25 06:03 mukhoakash

@mukhoakash

az aks nodepool add --cluster-name ${aks} -g ${rG} -n userpool \
    --mode User --labels "acstor.azure.com/io-engine=acstor" \
    --node-count 3 -o none \
    --node-vm-size Standard_A4_v2 
    
az aks update -n ${aks} -g ${rG} -o none \
    --enable-azure-container-storage elasticSan

cat <<EOF | kubectl apply -f -
apiVersion: containerstorage.azure.com/v1
kind: StoragePool
metadata:
  name: managed
  namespace: acstor
spec:
  poolType:
    elasticSan: {}
  resources:
    requests: {"storage": 1Ti}
EOF

kubectl describe sp managed -n acstor

Output:

Image

Note: This is a brand new AKS.

JoeyC-Dev avatar Mar 21 '25 09:03 JoeyC-Dev

Hello, I have the same issue, even after assigned the "Azure Container Storage Owner" role to the AKS cluster's identity. From what I can see, permission "Microsoft.ElasticSan/register/action" is not in the list of allowed permissions in that role.

masterphenix avatar Mar 25 '25 15:03 masterphenix

@masterphenix and @JoeyC-Dev Looping back to ensure that you have assigned yourself "Azure Container Storage Owner" or "Azure Container Storage Operator" roles over the subscription?

mukhoakash avatar Mar 31 '25 15:03 mukhoakash

Hi @mukhoakash Please check my title and description.

The question I am asking is: why it is requesting permission over whole subscription? For what design purpose? Giving permission over entire subscription is large. There is a security concern here. A very legit reason is needed for convincing myself. I don't want to grant this large scope of permission only for convenience purpose.

I am not asking how-to grant permission itself.

JoeyC-Dev avatar Mar 31 '25 16:03 JoeyC-Dev

@masterphenix and @JoeyC-Dev Looping back to ensure that you have assigned yourself "Azure Container Storage Owner" or "Azure Container Storage Operator" roles over the subscription?

Hello, on my side, yes I did

masterphenix avatar Apr 01 '25 07:04 masterphenix

Hello, I have the same issue, even after assigned the "Azure Container Storage Owner" role to the AKS cluster's identity. From what I can see, permission "Microsoft.ElasticSan/register/action" is not in the list of allowed permissions in that role.

Hi @masterphenix , could you please try the following and let me know if it works. Try assigning "Azure Container Storage Owner" or "Azure Container Storage Contributor" to yourself (the user installing Azure Container Storage, not the managed identity of the cluster) over the subscription and try running the command mentioned in the tutorial. Please let me know if that resolves your issue. Thanks!

mukhoakash avatar Apr 03 '25 08:04 mukhoakash

Hello, it's done already. The owner role is assigned to a Microsoft Entra group, in which I am.

masterphenix avatar Apr 07 '25 06:04 masterphenix

Hi @masterphenix , thanks for reaching out. Sorry to hear you're experiencing issues in deploying Elastic SAN with Azure Container Storage. Could you share the following information, so we can take a look at the logs on our end to see what could be going on?

Subscription ID AKS cluster name Estimated time frame when the issues occurred.

Please do not share here, instead email to [email protected].

Thanks! Saurabh

saurabh0501 avatar Apr 09 '25 14:04 saurabh0501

Hello @JoeyC-Dev and @masterphenix , with respect to the scope of the permissions, Azure Container Storage may need to work with multiple resource groups within the subscription. Due to this reason, the admin running the Azure Container Storage operation needs the permissions "Azure Container Storage Contributor" or "Azure Container Storage Owner" assigned to them over the subscription.

For further discussion, please reach out to [email protected].

mukhoakash avatar Apr 15 '25 17:04 mukhoakash

Thanks for reaching out. I'm closing this issue as it was marked with "Answer Provided" and it hasn't had activity for 2 days.

microsoft-github-policy-service[bot] avatar Apr 18 '25 05:04 microsoft-github-policy-service[bot]