can't create a storage share through kubernetes file.csi.azure.com

Hello Neil Andrews,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having challenges to create a storage share through kubernetes file.csi.azure.com.

The error shows that the client does not have the necessary permissions to perform the action Microsoft.Storage/storageAccounts/fileServices/shares/read, this role should be assigned to the user performing the task. You can check and assign roles using the Azure Portal or Azure CLI as shown below.

   az role assignment create --assignee <client-id> --role "Storage File Data SMB Share Reader" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>"

Make sure there is no is no discrepancies in the role names and it's correctly assigned.

Also check your Storage Class Parameters and ensure you update it, similarly to the below:

   kind: StorageClass
   apiVersion: storage.k8s.io/v1
   metadata:
     name: azurefile-<NAMESPACE>
   provisioner: file.csi.azure.com
   allowVolumeExpansion: true
   reclaimPolicy: Delete
   volumeBindingMode: Immediate
   mountOptions:
     - dir_mode=0777
     - file_mode=0777
     - uid=0
     - gid=0
     - mfsymlinks
     - cache=none
     - nobrl
   parameters:
     resourceGroup: <k8-rg>
     storageAccount: <k8-storage>
     server: <k8-storage>.file.core.windows.net
     shareName: share

For more reading and best practices check out the following links:

• https://zcusa.951200.xyz/en-us/azure/aks/azure-files-csi
• https://zcusa.951200.xyz/en-us/azure/aks/azure-csi-files-storage-provision
• https://zcusa.951200.xyz/en-us/azure/aks/azure-files-csi

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

@Neil Andrews, Adding more information to the above response!

It looks like you're encountering an authorization error when trying to provision a file share using the file.csi.azure.com storage class in Kubernetes. The error message indicates that the client does not have the necessary permissions to perform the action ( Can you please cross verify the permission again and let us know the statsu) Microsoft.Storage/storageAccounts/fileServices/shares/read.

Before you begin( Please cross verify below mentioned prerequisite has been met)

• You need an Azure storage account.
• Make sure you have Azure CLI version 2.0.59 or later installed and configured. Run az --version to find the version. If you need to install or upgrade, see Install Azure CLI.
• When choosing between standard and premium file shares, it's important you understand the provisioning model and requirements of the expected usage pattern you plan to run on Azure Files. For more information, see Choosing an Azure Files performance tier based on usage patterns.

Here are a few things you can try to resolve this issue:

Check Role Assignments: Ensure that the Kubernetes user has the correct role assignments. The role Microsoft.Storage/storageAccounts/fileServices/fileshares/read should be assigned instead of Microsoft.Storage/storageAccounts/fileServices/shares/read

Update Role Assignments: If the role name has changed, you may need to update the role assignments to reflect the new role name. This can be done through the Azure portal or using Azure CLI commands.

Use Azure Files CSI Driver: The Azure Files Container Storage Interface (CSI) driver is a CSI specification-compliant driver used by Azure Kubernetes Service (AKS) to manage the lifecycle of Azure file shares. Ensure that you are using the latest version of the Azure Files CSI driver

Persistent Volume Configuration: Make sure that your persistent volume (PV) configuration is correct. A PV can be used by one or many pods and can be dynamically or statically provisioned. If multiple pods need concurrent access to the same storage volume, you can use Azure Files to connect by using the Server Message Block (SMB) or NFS protocol

If you have recently granted access, it might take some time for the changes to propagate. You can try refreshing your credentials or re-authenticating to ensure that the new permissions are applied.

Option 2:
Check Scope: Ensure that the scope specified in the error message is correct. The scope should be set to the specific file share or storage account that you are trying to access. You can use the following command to assign the role at the correct scope:

$FileShareContributorRole = Get-AzRoleDefinition "Storage File Data SMB Share Reader"
$scope = "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/fileServices/default/fileshares/<share-name>"
New-AzRoleAssignment -SignInName <user-principal-name> -RoleDefinitionName $FileShareContributorRole.Name -Scope $scope

Use Built-in Roles: Consider using built-in roles such as Storage File Data SMB Share Reader, Storage File Data SMB Share Contributor, or Storage File Data SMB Share Elevated Contributor which provide the necessary permissions for accessing Azure file shares over SMB.

If access was recently granted, it might take some time for the permissions to propagate. You can try refreshing the permissions by re-assigning the role or waiting for a few minutes and then trying again.

References

Use Container Storage Interface (CSI) driver for Azure Files on Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn

Assign share-level permissions for Azure file shares

Use Azure Files Container Storage Interface (CSI) driver in Azure Kubernetes Service (AKS)

Create and use a volume with Azure Files in Azure Kubernetes Service (AKS)

Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster

Link: https://github.com/kubernetes-sigs/azurefile-csi-driver/tree/master/deploy/example/nfs#prerequisite

Please let us know if you have any further queries. I’m happy to assist you further.    

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you this can be beneficial to other community members.