Microsoft Azure

This page describes the available authentication methods when using Microsoft Azure.

For Microsoft Azure, the following authentication methods are available:

• Shared Access Signature (SAS) Token
• IAM Service Account

Once your preferred authentication method has been configured, follow the instructions to use it in your Backup or Restore resource.

Azure Container Token Credentials

Azure Container Token Credentials are defined in the .spec.azureContainerToken field of the Credentials resource.

It can be used in combination with the following resources:

• Azure Blob Storage

Shared Access Signature (SAS) Token

SAS Tokens may be used for accessing Azure Containers. The token must be set in a Secret which is then referenced by the Credentials resource.

Caution

The token must be generated with the create, read, and write permissions.

apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: azure-container-token
spec:
  azureContainerToken:
    description: "Azure Container SAS Token"  # Optional description
    sasTokenFrom:
      secretKeyRef:
        name: azure-container-sas-token       # Reference to the secret containing the SAS token
        key: secretSasToken                   # Key in the secret containing the SAS token

And here is the corresponding secret:

apiVersion: v1
kind: Secret
type: Opaque
data:
  secretSasToken: |
    <SAS Token base64-encoded>
metadata:
  name: azure-container-sas-token

IAM Service Account Authentication

A Kubernetes ServiceAccount (SA) can be attached to provide a specific identity to the processes running within the pods.

This configuration is primarily used to enable Workload Identity, where the Kubernetes ServiceAccount is mapped to a cloud provider IAM role. This mechanism allows pods to securely access external systems, such as cloud storage, without the need for managing static secrets or credentials.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  annotations:
    azure.workload.identity/client-id: your-azure-client-id

Then on the Armory resource, configure the service account.

Backup

apiVersion: io.kannika/v1alpha
kind: Backup
metadata:
  name: backup
  labels:
    azure.workload.identity/use: "true"
  annotations:
    io.kannika/propagate-labels: "azure.workload.identity/use"
spec:
  source: "kafka"
  sink: "storage"
  serviceAccountName: "my-service-account"
  # Alternatively, propagate labels via spec.labels
  labels:
    azure.workload.identity/use: "true"

Restore

apiVersion: io.kannika/v1alpha
kind: Restore
metadata:
  name: restore
  labels:
    azure.workload.identity/use: "true"
  annotations:
    io.kannika/propagate-labels: "azure.workload.identity/use"
spec:
  source: "storage"
  sink: "kafka"
  serviceAccountName: "my-service-account"
  # Alternatively, propagate labels via spec.labels
  labels:
    azure.workload.identity/use: "true"

SchemaRegistryBackup

apiVersion: io.kannika/v1alpha
kind: SchemaRegistryBackup
metadata:
  name: backup
  labels:
    azure.workload.identity/use: "true"
  annotations:
    io.kannika/propagate-labels: "azure.workload.identity/use"
spec:
  storage: "storage"
  registry: "schema-registry"
  serviceAccountName: "my-service-account"
  # Alternatively, propagate labels via spec.labels
  labels:
    azure.workload.identity/use: "true"

SchemaRegistryRestore

apiVersion: io.kannika/v1alpha
kind: SchemaRegistryRestore
metadata:
  name: restore
  labels:
    azure.workload.identity/use: "true"
  annotations:
    io.kannika/propagate-labels: "azure.workload.identity/use"
spec:
  storage: "storage"
  registry: "schema-registry"
  serviceAccountName: "my-service-account"
  # Alternatively, propagate labels via spec.labels
  labels:
    azure.workload.identity/use: "true"

Note

Workload Identity support is currently limited to Storage integrations. Armory does not support workload identity for Kafka at this time. Native authentication methods must be used instead, as detailed in the Kafka Authentication section.