What happened:
PVC restore from VolumeSnapshot fails with AuthorizationFailure error on AKS cluster using Azure File NFS storage. The CSI driver attempts to use AzCopy with Azure AD authentication to copy data from the source file share to the new file share, but receives a 403 error:
failed to perform copy command due to error: cannot start job due to error GET https://f249d08b24bc74164aa9d5f.file.core.windows.net/pvcn-4a2ca71e-49f7-4cd6-abac-772ed8cd2ea5/
RESPONSE 403: 403 This request is not authorized to perform this operation.
ERROR CODE: AuthorizationFailure
What you expected to happen:
The PVC should be successfully restored from the VolumeSnapshot.
How to reproduce it:
- Create an AKS cluster from Azure Portal
- Create a StorageClass with NFS protocol:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: azurefile-csi-nfs
parameters:
protocol: nfs
skuName: Premium_LRS
matchTags: "true"
tags: storageClassName=azurefile-nfs-csi
provisioner: file.csi.azure.com
- Create a PVC and VolumeSnapshot
- Attempt to restore PVC from VolumeSnapshot
Anything else we need to know?:
- Storage Account configuration:
- allowSharedKeyAccess: true
- networkRuleSet.defaultAction: Deny
- VNet rules configured for AKS subnet
WA attepmted:
- So I tried to update the Storage Account network configuration as "--default-action Allow" as WA and it works.
- I'm not sure why "Allow trusted Microsoft services to access this resource" doesn't work
- Specifying resource instances like Microsoft.ApiManagement/service doesn't work either
Environment:
- CSI Driver version: v1.33.5
- Kubernetes version (use
kubectl version): v1.33.5
- OS (e.g. from /etc/os-release):
- Kernel (e.g.
uname -a):
- Install tools:
- Others:
Besides setting the networkRuleSet.defaultAction: Allow, is there any other recommend ways to make it work? Or can we do something from the driver side? Thanks.
What happened:
PVC restore from VolumeSnapshot fails with AuthorizationFailure error on AKS cluster using Azure File NFS storage. The CSI driver attempts to use AzCopy with Azure AD authentication to copy data from the source file share to the new file share, but receives a 403 error:
failed to perform copy command due to error: cannot start job due to error GET https://f249d08b24bc74164aa9d5f.file.core.windows.net/pvcn-4a2ca71e-49f7-4cd6-abac-772ed8cd2ea5/
RESPONSE 403: 403 This request is not authorized to perform this operation.
ERROR CODE: AuthorizationFailure
What you expected to happen:
The PVC should be successfully restored from the VolumeSnapshot.
How to reproduce it:
Anything else we need to know?:
WA attepmted:
Environment:
kubectl version): v1.33.5uname -a):Besides setting the networkRuleSet.defaultAction: Allow, is there any other recommend ways to make it work? Or can we do something from the driver side? Thanks.