Replies: 6 comments 1 reply
-
|
There is no integration with keyvault as such. Even if you store in keyvault, you need some auth mechanism for keyvault itself and problem still remains the same. If you do not wish to store them in config file there is an option to supply them through environment variables. If you do not wish to take that path as well, there is a blobfuse command which can help you encrypt your config file using a passphrase. Post this you can keep supplying the passphrase to blobfuse and the encrypted file. Runtime blobfuse will decrypt the file and load the config leaving no trace of your credentials on disk or cli or env variables. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the reply! But how is that passphrase being stored? From a cloud security perspective I think no form of credentials/hashes/passphrases should be stored a device. Always a reference to a key vault or any other vault |
Beta Was this translation helpful? Give feedback.
-
|
You need to send that passphrase as input to blobfuse mount command. |
Beta Was this translation helpful? Give feedback.
-
|
Some way or the other you need to send some info to blobuse to authenticate. Only other option is to use user-assigned identity. If you are using an Azure-VM you can assign identity to your vm and give "blob data contributor" role to that identity in your storage account. With this any request going from your VM will be auto authenticated for your storage account and no need to provide any auth config in blobfuse anywhere. |
Beta Was this translation helpful? Give feedback.
-
|
Closing this as workarounds have been suggested. Feel free to reopen if you have further queries in this regard. |
Beta Was this translation helpful? Give feedback.
-
|
I still find it weird and odd that a Microsoft product doesn't support its own products for secrets management and instructs customers to implement workarounds. How hard can it be to add support for keyvault? Or do i need to open a feature request issue so that it gets the proper attention from a product manager? @vibhansa-msft |
Beta Was this translation helpful? Give feedback.
-
|
We do support SPN and MSI based (OAuth) authentication where you do not need to supply any credentials. If you wish to supply key or SAS and there is no way to hide it from user inputs (through cli, config or env variables). We do not have bandwidth right now to investigate on keyvault related feature, but my question still remains the same that to access keyvault you will still need to provide some credentials and again we go back into the same loop of how to hide it. Best practice here will be to use SPN or MSI based authentication or if you are using an Azure VM then assign an identity to VM itself and have blob data contributor role assigned to it at storage account level. |
Beta Was this translation helpful? Give feedback.
-
This is a both a question and an idea, the secrets in blobfuse2 are directly stored in a configuration file, in my opinion that's a security risk.
Is there an option to store those into a keyvault and reference them in the config file?
Beta Was this translation helpful? Give feedback.
All reactions