Azure Blob Upload Test with Pod Identity

This project contains a Python application that tests uploading files to Azure Storage using Kubernetes pod identity (Azure Workload Identity). The application demonstrates secure, production-ready practices for Azure integration.

Features

• Secure Authentication: Uses Azure Workload Identity (pod identity) for authentication
• Retry Logic: Implements exponential backoff for transient failures
• Comprehensive Testing: Creates, uploads, downloads, and verifies test files
• Production Ready: Includes proper error handling, logging, and security practices
• Containerized: Docker container with security best practices
• Kubernetes Ready: Complete K8s manifests with RBAC and security contexts

Architecture

┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│   Kubernetes    │    │   Azure AD       │    │  Azure Storage  │
│   Pod           │───▶│   Workload       │───▶│   Account       │
│                 │    │   Identity       │    │                 │
└─────────────────┘    └──────────────────┘    └─────────────────┘

Prerequisites

• Azure CLI installed and configured
• kubectl installed
• Docker installed
• AKS cluster with OIDC issuer enabled
• Azure Storage account

Quick Start

1. Setup Azure Resources

Edit the configuration variables in setup-workload-identity.sh:

RESOURCE_GROUP="your-resource-group"
STORAGE_ACCOUNT="yourstorageaccount"
AKS_CLUSTER_NAME="your-aks-cluster"

Run the setup script:

./setup-workload-identity.sh

This script will:

• Create a managed identity
• Assign Storage Blob Data Contributor role
• Create federated identity credential
• Update Kubernetes manifests with the correct values

2. Build and Deploy

Build the Docker image:

docker build -t blob-rbac:latest .

If using kind or minikube, load the image:

# For kind
kind load docker-image blob-rbac:latest

# For minikube
minikube image load blob-rbac:latest

Deploy to Kubernetes:

kubectl apply -f k8s/deployment.yaml

3. Monitor the Test

Check job status:

kubectl get jobs -n blob-rbac

View logs:

kubectl logs -n blob-rbac job/blob-upload-test-job

Configuration

The application uses environment variables for configuration:

• AZURE_STORAGE_ACCOUNT_NAME: Name of the Azure Storage account (required)
• AZURE_STORAGE_CONTAINER_NAME: Container name (defaults to "upload-test")
• AZURE_CLIENT_ID: Managed identity client ID (set automatically by Workload Identity)

Security Features

Application Security

• Uses DefaultAzureCredential for secure authentication
• No hardcoded credentials
• Proper error handling and logging
• Resource cleanup after operations

Container Security

• Non-root user execution
• Minimal base image (Python slim)
• Health checks included
• No unnecessary privileges

Kubernetes Security

• Non-root security context
• Resource limits and requests
• Capability dropping
• Read-only root filesystem where possible
• Service account with minimal permissions

Testing Features

The application performs comprehensive testing:

1. Authentication Test: Verifies pod identity authentication
2. File Creation: Creates a test file with metadata
3. Upload Test: Uploads file with retry logic and exponential backoff
4. Verification: Downloads and verifies uploaded content
5. Cleanup: Removes temporary files

Troubleshooting

Common Issues

1. Authentication Errors

   • Verify AKS cluster has OIDC issuer enabled
   • Check federated identity credential configuration
   • Ensure managed identity has proper role assignments

2. Permission Errors

   • Verify Storage Blob Data Contributor role assignment
   • Check storage account and container exist
   • Ensure managed identity client ID is correct

3. Pod Issues

   • Check pod has the correct service account
   • Verify workload identity labels are present
   • Review pod logs for detailed error messages

Debug Commands

# Check workload identity annotation
kubectl describe sa blob-upload-sa -n blob-rbac

# Check pod labels
kubectl get pods -n blob-rbac --show-labels

# View detailed pod description
kubectl describe pod -n blob-rbac -l app=blob-upload-test-job

# Check events
kubectl get events -n blob-rbac --sort-by='.lastTimestamp'

Development

Local Testing

You can test the application locally using managed identity or service principal:

export AZURE_STORAGE_ACCOUNT_NAME="yourstorageaccount"
export AZURE_STORAGE_CONTAINER_NAME="upload-test"

# Install dependencies
pip install -r requirements.txt

# Run locally (requires Azure CLI login or managed identity)
python app.py

Running as Different Workloads

The project includes both Deployment and Job configurations:

• Job: One-time test execution (recommended for testing)
• Deployment: Continuous running application

Best Practices Implemented

• Authentication: Uses managed identity instead of connection strings
• Error Handling: Comprehensive exception handling with specific error types
• Retry Logic: Exponential backoff for transient failures
• Logging: Structured logging with appropriate levels
• Security: Principle of least privilege throughout
• Monitoring: Health checks and resource monitoring
• Performance: Async operations for better performance

Contributing

When contributing, ensure:

• Follow existing code style and patterns
• Add appropriate error handling
• Include security considerations
• Update documentation as needed
• Test both locally and in Kubernetes

License

This project is provided as an example for educational purposes.