Workload Identity requires Access Keys on Azure Storage Account to be enabled

[mkemmerz]

Hello, I have some questions to the Workload Identity feature.

Currently trying out the blob-csi-driver 1.24.1 release together with an AKS 1.29.2. I am not using the microsoft managed blob-csi-driver.

I only got the Workload Identity for blobs running if my Azure Storage Account has access keys enabled. The blob-node pod would print out the following message: clientID(xxx) is specified, use service account token to get account key

This is in the blob.go

// if client id is specified, we only use service account token to get account key
if clientID != "" {
	klog.V(2).Infof("clientID(%s) is specified, use service account token to get account key", clientID)
	if subsID == "" {
		subsID = d.cloud.SubscriptionID
	}
	accountKey, err := d.cloud.GetStorageAccesskeyFromServiceAccountToken(ctx, subsID, accountName, rgName, clientID, tenantID, serviceAccountToken)
	authEnv = append(authEnv, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
	return rgName, accountName, accountKey, containerName, authEnv, err
}

Azure also shows the access in the Activity log:

The Service Account Token should be used to directly access the Storage Account resources I think. The Workload Identity should allow to disable the access keys and only use RBAC for the Azure Storage Account. Maybe I missed something here or my setup is not correct or is this intended behaviour?