Main Content

Enable Access to Azure Storage Using Delegation

Since R2023b

In MATLAB® Online Server™, end users can run MATLAB functions to access data stored remotely in Azure® Blob Storage resources. These functions require end users to acquire their Azure credentials in advance. Otherwise, MATLAB returns an error. You can provide MATLAB Online Server with delegated access to Azure. With Azure delegation enabled, the server acquires credentials for end users as soon as they sign in to MATLAB Online™, giving them immediate access to their remote data.

Limitations

MATLAB Online Server supports delegation only for Azure Blob Storage resources. Delegation for other storage resources, such as Azure Data Lake, Azure File Storage, or Azure Key Vault, is not supported.

Prerequisites

  • You are using an OAuth 2.0 and Open ID Connect (OIDC) identity provider to authenticate user access, and you configured this access using the Microsoft® Authentication Library (MSAL) method in MATLAB Online Server. For more details, see MSAL Authentication in MATLAB Online Server.

  • You have a storage account under the same account as the identity provider. This account must have blob containers available and the following Identity Access Management (IAM) roles assigned:

    • Storage Blob Data Contributor

    • Storage Blob Data Owner

    • Storage Blob Delegator

    For more details, see Assign permissions with RBAC (Azure).

Configure Authentication Service to Support Azure Delegation

Enable Azure delegation in the MATLAB Online Server authentication service by setting the appropriate values in the authnz.yaml file. The file is located at this path.

<server-root>/overrides/<cluster-name>/<namespace-name>/authnz.yaml
  • <server-root> is the MATLAB Online Server installation folder.

  • <cluster-name> is the name of the Kubernetes® cluster.

  • <namespace-name> is the namespace of the MATLAB Online Server deployment.

Sample path:

~/matlab_online_server/overrides/matlab-online-server/mathworks/authnz.yaml

Under identityProviders, within the msal section, add a delegation subsection with this structure.

identityProviders:
  - id: "msal"
    type: "msal"

    # Standard MSAL Configuration
    ...

    delegation:
      azure:
        storage:
          blob:
            storageAccount: "<storage account name>"
            containerName: "<container name>"
            sasLifeTime: 8
            sasPermission: "racwdli"
            signedResource: "c"
            signedDirectoryDepth: "5"
            signedIP: ""

For details on the standard MSAL configuration, see MSAL Authentication in MATLAB Online Server.

In the storage section, under blob, configure these required fields.

FieldDescription
storageAccount

Name of Azure storage account.

containerNameName of Azure blob container.

Optionally, configure these fields to specify how to generate the shared access signature (SAS) token required for accessing Azure resources. For complete details on these fields, see Create a user delegation SAS (Microsoft).

FieldDescription
sasLifeTime

Duration, in hours, of SAS token.

Default: 8

sasPermission

User permissions for blob token.

Default: "racwdli"

signedResource

User permissions for resource.

Default: "c" (container)

signedDirectoryDepth

Maximum directory depth of resources. This field applies only when signedResource is set to "d" (directory).

Default: "5"

signedIP

Range of IP addresses that can use the SAS token for blob access.

Default: ""

Not all storage configurations from Azure are available in MATLAB Online Server. If you require additional configuration options, contact support.

Deploy Kubernetes Secret for User Credentials

To provide users with delegated access to remote data, MATLAB Online Server must transmit user credentials between services in the Kubernetes cluster. Encrypt these credentials by storing them in a Kubernetes secret object and deploying the object to the cluster. If you already deployed a Kubernetes secret object for user credentials to the cluster, skip this step.

  1. Generate a random 64-bit-encoded string that the cluster can use to encrypt the data. For example, this Linux® bash script generates a random string of alphanumeric characters, wrapped in lines of 32 characters each, and encodes this string using base-64 encoding.

    #!/bin/bash
    SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
    echo $SECRET
    echo -n $SECRET | base64
  2. Create a file named credentials-secret.yaml and copy in the fields shown. Then, set the credentials-secret field to the value of the base-64-encoded string generated earlier. Save the file in any location on the Kubernetes cluster.

    credentials-secret.yaml
    apiVersion: "v1"
    kind: "Secret"
    metadata:
        name: "credentials-secret"
    data:
        credentials-secret: "<secret string>"
  3. Deploy the secret to the Kubernetes cluster. Replace <namespace-name> with your MATLAB Online Server namespace.

    kubectl apply -f credentials-secret.yaml --namespace <namespace-name>
    

Enable Azure Support on Server

Enable Azure support across all services by setting the appropriate values in the all.yaml file. The file is located at this path.

<server-root>/overrides/<cluster-name>/<namespace-name>/all.yaml

In the global section, add a delegation section with this structure.

global:
  tls:
    enabled: true
 
  delegation:
    providers:
      - type: "azure"
        enabled: true
    secretFile:
      mountPath: "/etc/credentials-secret-volume/"
      name: "credentials-secret"

Configure these fields.

FieldRequired or OptionalDescription
providersRequired

Delegation provider. To enable Azure delegation, type must be "azure" and enabled must be true.

secretFileOptional

Full path to the secret file used for securely transmitting Azure credentials within the MATLAB Online Server cluster.

  • mountPath specifies the location to which you deployed the secret. The default mount path is "/etc/credentials-secret-volume".

  • name is the name of the secret file, as determined by the name field of credentials-secret.yaml. The default name is credentials-secret, as shown in the name field specified in the Deploy Kubernetes Secret for User Credentials step.

If you do not change the default values, then you can omit the secretFile section.

Deploy Changes to Server

To apply your changes, undeploy and redeploy the server.

./mosadm undeploy
./mosadm deploy

These changes take effect for each user the next time they sign in to MATLAB Online with their single sign-on credentials.

For an example of how end users can access their remote data, see Work with Remote Data. When delegation is enabled, end users do not have to follow the instructions on setting up access and setting environment variables for their credentials.

Related Topics