DistStorage - Azure Gen2 Access Key

Hi, We are using Azure ADLS Gen 2 as a diststorage for Dremio, configured to run on AKS using Helm charts.
Is there any way how we cannot expose the accesskey and use some k8s secrets to authenticate to the Azure storage. In the current method, we have to explicitly mention the access key in the values.yaml.

Any help please?

@ramprasd89 You should be able to do this but it does requires modifying the templates. It’s been a while since I tested this but this should still work.

  1. Create a few environmental variables first. Change these parameters as needed for your own environment:

  2. Get storage account key and store as variable:

    STORAGE_KEY_HOST=$(az storage account keys list --resource-group $AKS_PERS_RESOURCE_GROUP --account-name $AKS_PERS_STORAGE_ACCOUNT_NAME --query "[0].value" -o tsv)
  3. Create a K8s Secret:

    kubectl create secret generic azure-secret --from-literal=azurestorageaccountkey=$STORAGE_KEY_HOST
  4. Edit dremio-cloud-tools/charts/dremio_v2/templates/dremio-master.yaml
    Under line 65 env:, add the following:

         - name: STORAGE_KEY
               name: azure-secret
               key: azurestorageaccountkey
  5. Edit dremio-cloud-tools/charts/dremio_v2/templates/dremio-executor.yaml
    Under line 56 env:, add the following:

         - name: STORAGE_KEY
               name: azure-secret
               key: azurestorageaccountkey
  6. Do the above for dremio-coordinator.yaml too if you plan to launch multiple coordinators.

  7. Now modify values.yaml at dremio-cloud-tools/charts/dremio_v2/values.yaml and configure your storage account as below:

      type: "azureStorage"
        accountName: "your_storage_account"
        filesystem: "your_storage_container"
        path: "/"
          accessKey: "${env.STORAGE_KEY}"

You should be set.

If you do not want to modify templates and such, another way is to put everything you need in core-site.xml and make that itself a K8s secret.


Thanks for the quick response. I have created an env variable(AZURE_STORAGE_ACCESS_KEY) in the templates as you mentioned, and passed the Azure access key in the values.yaml as:


however the dremio-master pod keeps failing while trying to recognize the access key with the error:
Caused by: java.lang.IllegalArgumentException: Illegal base 64 character 24

Any idea??

ALso could you elaborate on the core-site.xml method you mentioned at the end.

If you’re creating an environmental variable, then you need to prefix it with env. and use double-quotes. So try:

      accessKey: "${env.AZURE_STORAGE_ACCESS_KEY}"

Re: core-site.xml. The values that you are using in values.yaml get put into core-site.xml when helm launches the pods. And that’s what Dremio uses to get the access key. You can put everything you need in this file, and create a k8s secret with it and then use that as a file in the pods such that it gets added to Dremio’s config path


Thanks for your response,
It worked!!