CycleCloud unable to access storage locker after disabling "Allow storage account key access"

Devin Payne 10 Reputation points Microsoft Employee
2024-05-21T23:46:01.07+00:00

We have several CycleCloud/Slurm clusters running in Azure using Managed Identity. A recent security initiative has required us to disable the "Allow storage account key access" storage account configuration. After doing so, CycleCloud is unable to read from the storage locker/container. We receive a Http Status 403 in the cycle_server.log. I suspect cycle server requires us to have this configuration enabled.

Is it possible to use CycleCloud with a storage account that has "Allow storage account key access" disabled?

CycleCloud Version: 8.6.1-3248

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,296 questions
Azure CycleCloud
Azure CycleCloud
A Microsoft tool for creating, managing, operating, and optimizing high-performance computing (HPC) and big compute clusters in Azure.
66 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Amrinder Singh 5,555 Reputation points Microsoft Employee
    2024-05-22T01:31:00.0833333+00:00

    Hi Devin Payne - Thanks for reaching out.

    Disable the account keys access would disable the auth coming via Shared Keys , Account or Service SAS and the calls shall return a 403 during authorization.

    https://zcusa.951200.xyz/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal

    However you mentioned that you are using MI so there appears to be some configuration which might be using access keys and hence resulting into failure.

    You can start by enabling the diagnostic logging to check the auth method being passed. if you observe auth method other that OAUTH (i.e. AD) such as Shared Key or SAS this shall help in isolation.

    https://zcusa.951200.xyz/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

    Hope that helps!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.