Historically, the most common way to mount Azure Blob Storage as a file system on Linux has been using the storage account key. However, this method presents two significant security risks:
The account key grants full access to all containers and resources, breaking the principle of least privilege.
The key must be stored in a plain text configuration file, which is a poor security practice.
The modern and recommended solution is to use an Azure AD Service Principal (SPN) in conjunction with BlobFuse, Azure's FUSE driver.
The Secure Alternative: Service Principal and RBAC
By using a Service Principal, you can:
Apply Role-Based Access Control (RBAC) to assign granular permissions, such as the
Storage Blob Data Contributorrole, which only allows access to blob data, not account management.Avoid exposing the master account key.
Enable key rotation or use certificates for even greater security.
The BlobFuse Twist on Linux
The main difference when using a Service Principal with BlobFuse is how the client secret is handled. Unlike other parameters, the secret is not included in the .cfg configuration file.
The configuration file (.cfg) only requires the following data:
accountName <storage-account-name>
authType SPN
containerName <container-name>
servicePrincipalClientId <client-id-of-the-service-principal>
servicePrincipalTenantId <tenant-id>
The client secret must be injected as an environment variable named AZURE_STORAGE_SPN_CLIENT_SECRET.
AZURE_STORAGE_SPN_CLIENT_SECRET="xxxxxxxxxxxx"
This prevents the secret from being exposed in a plain text file that could be accessible to other users on the system.
Practical Example on Ubuntu
To ensure the secret is available to BlobFuse when the system boots (for instance, if you're using an entry in /etc/fstab), the most straightforward way is to add the environment variable to /etc/environment.
1. Define the Secret
Edit the /etc/environment file and add the variable at the end:
Add this line:
Note: By default,
/etc/environmentis world-readable. For stricter security, consider using a privatesystemd EnvironmentFilewithchmod 600permissions.
2. Create the BlobFuse Configuration File
Create a configuration file (e.g., storage.cfg) and ensure it only contains the Service Principal IDs and account information, without the secret.
accountName myblobaccount
authType SPN
containerName mycontainer
servicePrincipalClientId 12345678-abcd-efgh-1234-567890abcdef
servicePrincipalTenantId abcdef12-3456-7890-abcd-efgh12345678
3. Mount the Container
Now you can mount the container using the blobfuse command or by configuring an entry in /etc/fstab. BlobFuse will automatically pick up the secret from the environment variable.
With the AZURE_STORAGE_SPN_CLIENT_SECRET variable defined, simply run:
sudo blobfuse /path/to/mountpoint --config-file=/path/to/storage.cfg
If you're using /etc/fstab, the entry would look like this:
/path/to/storage.cfg /mnt/mycontainer blobfuse defaults,allow_other 0 0Conclusion
Using a Service Principal to mount Azure Blob Storage on Linux with BlobFuse is a much more secure practice than using the account key. By keeping the client secret as an environment variable, you strengthen security and align with Azure AD and RBAC best practices, avoiding the exposure of sensitive credentials in configuration files. This "quirk" in the configuration is, in fact, a key security feature.
