Enable Access to Azure Storage Using Delegation

Since R2023b

MATLAB^® Online™ end users can use MATLAB functions to access data stored remotely in Azure^® Blob Storage resources. However, if end users do not acquire the Azure credentials needed to access those resources in advance, MATLAB returns an error. If you enable MATLAB Online Server™ to have delegated access to these resources, the server acquires these credentials for end users when they log in to MATLAB Online, providing them immediate access to their remote data.

Limitations

MATLAB Online Server supports delegation only for Azure Blob Storage resources. Delegation for other storage resources, such as Azure Data Lake, Azure File Storage, or Azure Key Vault, is not supported.

Prerequisites

MATLAB Online Server has Transport Layer Security (TLS) enabled. For more details, see the Security configuration properties.
You are using an OAuth 2.0 and Open ID Connect (OIDC) identity provider to authenticate user access, and you configured this access using the Microsoft^® Authentication Library (MSAL) method in MATLAB Online Server. For more details, see Configure User Authentication in MATLAB Online Server.
You have a storage account under the same account as the identity provider. This account must have blob containers available and the following Identity Access Management (IAM) roles assigned:
- Storage Blob Data Contributor
- Storage Blob Data Owner
- Storage Blob Delegator
For more details, see Assign permissions with RBAC (Azure).

Configure Authentication Service to Support Azure Delegation

Enable Azure delegation in the MATLAB Online Server authentication service by setting the appropriate values in the authnz.yaml file. The file is located at this path.

server_root/overrides/cluster/namespace/authnz.yaml

server_root is the root folder of your MATLAB Online Server installation.
cluster is the name of your Kubernetes^® cluster.
namespace is the Kubernetes namespace you used to deploy MATLAB Online Server.

Under identityProviders, within the msal identity provider, add a delegation section with this structure.

identityProviders:
  - id: msal
    type: msal
    # Standard MSAL Configuration
    ...

    delegation:
      azure:
        storage:
          blob:
            storageAccount: "<storage account name>"
            containerName: "<container name>"
            sasLifeTime: 8
            sasPermission: "racwdli"
            signedResource: "c"
            signedDirectoryDepth: "5"
            signedIP: ""

For details on the standard MSAL configuration, see the MSAL section of the authentication documentation.

In the storage section, under blob, configure these required attributes.

Attribute	Description
`storageAccount`	Name of Azure storage account.
`containerName`	Name of Azure blob container.

Optionally, configure these attributes to specify how to generate the shared access signature (SAS) token required for accessing Azure resources. For complete details on these attributes, see Create a user delegation SAS (Microsoft).

Attribute	Description
`sasLifeTime`	Duration, in hours, of SAS token. Default: `8`
`sasPermission`	User permissions for blob token. Default: `"racwdli"`
`signedResource`	User permissions for resource. Default: `"c"` (container)
`signedDirectoryDepth`	Maximum directory depth of resources. This attribute applies only when `signedResource` is set to `"d"` (directory). Default: `"5"`
`signedIP`	Range of IP addresses that can use the SAS token for blob access. Default: `""`

Not all storage configurations from Azure are available in MATLAB Online Server. If you require additional configuration options, contact support.

Deploy Kubernetes Secret for Transmitting Azure Credentials

To transmit the Azure credentials of end users within the MATLAB Online Server cluster, deploy a Kubernetes secret to the cluster. A Kubernetes secret is an object that encrypts sensitive data so that it can be shared securely between services within the cluster. You must deploy this secret within the same namespace as other MATLAB Online Server services in your Kubernetes cluster.

To deploy a Kubernetes secret to the cluster:

Generate a random 64-bit-encoded string that the cluster can use to encrypt the data. For example, this Linux^® bash script generates a random string of alphanumeric characters wrapped onto lines of 32 characters each, and then encodes the string using base-64 encoding.
#!/bin/bash SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) echo $SECRET echo -n $SECRET | base64
Create a file named credentials-secret.yaml and copy in the fields shown. Then, set the credentials-secret field to the value of the base-64-encoded string generated earlier. Save the file in any location within the Kubernetes cluster.
credentials-secret.yaml
apiVersion: v1 kind: Secret metadata: name: credentials-secret data: credentials-secret: <secret string>
Deploy the secret to the Kubernetes cluster. Replace your-namespace with your MATLAB Online Server namespace.
```
kubectl apply -f credentials-secret.yaml --namespace your-namespace
```

`credentials-secret.yaml`
apiVersion: v1 kind: Secret metadata: name: credentials-secret data: credentials-secret: <secret string>

Enable Azure Access Across Server

Enable all services to have delegated access to Azure resources by setting the appropriate values in the all.yaml file. The file is located at this path.

server_root/overrides/cluster/namespace/all.yaml

In the global section, add a delegation section with this structure.

global:
  tls:
    enabled: true
 
  delegation:
    providers:
      - type: "azure"
        enabled: true
    secretFile:
      mountPath: "/etc/credentials-secret-volume/"
      name: "credentials-secret"

Configure these fields.

Attribute Optional or Required Description

Attribute	Optional or Required	Description
`providers`	Required	Delegation provider. To enable Azure delegation, `type` must be `"azure"` and `enabled` must be `true`.
`secretFile`	Optional	Full path to the secret file used for securely transmitting Azure credentials within the MATLAB Online Server cluster. `mountPath` specifies the location to which you deployed the secret. The default mount path is `"/etc/credentials-secret-volume"`. `name` is the name of the secret file, as determined by the name field of `credentials-secret.yaml`. The default name is `credentials-secret`, as shown in the `name` field specified in the Deploy Kubernetes Secret for Transmitting Azure Credentials step. If you do not change the default values, then you can omit the `secretFile` section.

providers

Required

Delegation provider. To enable Azure delegation, type must be "azure" and enabled must be true.

secretFile

Optional

Full path to the secret file used for securely transmitting Azure credentials within the MATLAB Online Server cluster.

mountPath specifies the location to which you deployed the secret. The default mount path is "/etc/credentials-secret-volume".
name is the name of the secret file, as determined by the name field of credentials-secret.yaml. The default name is credentials-secret, as shown in the name field specified in the Deploy Kubernetes Secret for Transmitting Azure Credentials step.

If you do not change the default values, then you can omit the secretFile section.

Deploy Changes to Server

To apply your changes, undeploy and redeploy the server.

./mosadm undeploy
./mosadm deploy

These changes take effect the next time that MATLAB Online end users log in with their single sign-on credentials.

For an example of how end users can access their remote data, see Work with Remote Data. When delegation is enabled, end users do not have to follow the instructions on setting up access and setting environment variables for their credentials.