Help Center/ Cloud Container Engine/ User Guide/ Storage/ OBS/ Using a Temporary Custom Access Key (AK/SK) to Mount an OBS Volume
Updated on 2026-06-16 GMT+08:00
View PDF
Share

Using a Temporary Custom Access Key (AK/SK) to Mount an OBS Volume

In containerized application deployment, mounting an OBS bucket into a container still requires a permanent AK/SK. Because these credentials never expire, they broaden the blast radius of any leak and clash with the least-privilege policies that security-focused enterprises now enforce. The container-storage add-on (CCE Container Storage (Everest)) eliminates the need for permanent AK/SKs by generating a short-lived, custom AK/SK each time an OBS volume is mounted. Unlike the permanent AK/SKs held by IAM users, these credentials are created on demand, expire in 15 minutes to 24 hours, and are then automatically deleted, eliminating the long-term risk of a leaked key.

Prerequisites

Notes and Constraints

  • When an OBS volume is mounted using a temporary custom AK/SK, you must periodically refresh that credential before it expires. Otherwise, service containers will not be able to access the mounted OBS volume.
  • Temporary custom AK/SKs cannot be configured for secure containers.
  • Once an OBS volume has been mounted with a temporary AK/SK, the credential type cannot be switched to a permanent one. In this case, dynamic key replacement is not supported.
  • The temporary AK/SK inherits the exact OBS read/write permissions of the IAM user who requested it, so that user must already hold those rights.

    The following shows the minimum required permissions (tailor them to your needs):

    • obs:bucket:PutLifecycleConfiguration

    • obs:bucket:ListBucketMultipartUploads

    • obs:object:DeleteAccessLabel

    • obs:object:PutAccessLabel

    • obs:object:GetObjectVersion

    • obs:object:PutObjectVersionTagging

    • obs:object:GetObject

    • obs:object:ModifyObjectMetaData
    • obs:bucket:DeleteModerationPolicy
    • obs:object:GetObjectTagging
    • obs:object:DeleteObject
    • obs:object:ListMultipartUploadParts
    • obs:bucket:HeadBucket
    • obs:object:AbortMultipartUpload
    • obs:object:DeleteObjectVersion
    • obs:bucket:ListBucketVersions
    • obs:bucket:ListBucket
    • obs:object:PutObject

Creating a Secret Using Access Keys

  1. Obtain temporary access keys (AK/SK and STS token). For details, see Temporary Access Key (for Federated Users).
  2. Encode each credential in Base64. (Assume that the AK is xxx, the SK is yyy, and the STS token is zzz.) 

    echo -n xxx|base64
echo -n yyy|base64
echo -n zzz|base64 -w 0

    Record the encoded AK/SK and STS token.

  3. Create a YAML file, for example test-user.yaml, to hold the secret. 

    apiVersion: v1
data:
  access.key: WE5WWVhVNU*****
  secret.key: Nnk4emJyZ0*****
  security.token: Adfaf*****
kind: Secret
metadata:
  name: test-user
  namespace: default
  labels:
    secret.kubernetes.io/used-by: csi
type: cfe/secure-opaque

    The parameters are as follows.

    Parameter

    Description

    access.key

    The Base64-encoded AK

    secret.key

    The Base64-encoded SK

    security.token

    The Base64-encoded STS token

    name

    The secret name

    namespace

    The namespace of the secret

    secret.kubernetes.io/used-by: csi

    The label required so the console can use this secret when provisioning an OBS PV/PVC.

    type

    The secret type. The value must be cfe/secure-opaque.

    When this type is used, user input is encrypted automatically.

  4. Create the secret. 

    kubectl create -f test-user.yaml

Mounting a Secret to an OBS Volume

The method of mounting an OBS volume varies depending on how the volume was created.

After a secret is created using the AK/SK, you can associate the secret with the PV to be created and then use the AK/SK in the secret to mount an OBS volume.

  1. Log in to the OBS console, create an OBS bucket, and record the bucket name and StorageClass. The parallel file system is used as an example.
  2. Create a YAML file for the PV, for example, pv-example.yaml. 

    apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-obs-example
  annotations:
    pv.kubernetes.io/provisioned-by: everest-csi-provisioner
spec:
  accessModes:
  - ReadWriteMany
  capacity:
    storage: 1Gi
  csi:
    nodePublishSecretRef:
      name: test-user
      namespace: default
    driver: obs.csi.everest.io
    fsType: obsfs
    volumeAttributes:
      everest.io/obs-volume-type: STANDARD
      everest.io/region: ap-southeast-1
      storage.kubernetes.io/csiProvisionerIdentity: everest-csi-provisioner
    volumeHandle: obs-normal-static-pv
  persistentVolumeReclaimPolicy: Delete
  storageClassName: csi-obs

    Parameter

    Description

    nodePublishSecretRef

    Secret specified during the mounting.

    • name: name of the secret
    • namespace: namespace of the secret

    fsType

    File type, which can be s3fs or obsfs. If the value is s3fs, an OBS bucket is created. If the value is obsfs, an OBS parallel file system is created.

    volumeHandle

    OBS volume name.

  3. Create a PV. 

    kubectl create -f pv-example.yaml

    After a PV is created, you can create a PVC and associate it with the PV.

  4. Create a YAML file for the PVC, for example, pvc-example.yaml.

    Example YAML file for the PVC:

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  annotations:
    csi.storage.k8s.io/node-publish-secret-name: test-user
    csi.storage.k8s.io/node-publish-secret-namespace: default
    volume.beta.kubernetes.io/storage-provisioner: everest-csi-provisioner
    everest.io/obs-volume-type: STANDARD
    csi.storage.k8s.io/fstype: obsfs
  name: obs-secret
  namespace: default
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: csi-obs
  volumeName: pv-obs-example

    Parameter

    Description

    csi.storage.k8s.io/node-publish-secret-name

    Secret name

    csi.storage.k8s.io/node-publish-secret-namespace

    Namespace of the secret

  5. Create a PVC. 

    kubectl create -f pvc-example.yaml

    After the PVC is created, you can create a workload and associate it with the PVC to create volumes.

When dynamically creating an OBS volume, you can use the following method to specify a secret:

  1. Create a YAML file for the PVC, for example, pvc-example.yaml. 

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  annotations:
    csi.storage.k8s.io/node-publish-secret-name: test-user
    csi.storage.k8s.io/node-publish-secret-namespace: default
    everest.io/obs-volume-type: STANDARD
    csi.storage.k8s.io/fstype: obsfs
  name: obs-secret
  namespace: default
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: csi-obs

    Parameter

    Description

    csi.storage.k8s.io/node-publish-secret-name

    Secret name

    csi.storage.k8s.io/node-publish-secret-namespace

    Namespace of the secret

  2. Create a PVC. 

    kubectl create -f pvc-example.yaml

    After the PVC is created, you can create a workload and associate it with the PVC to create volumes.

Verification

You can use a secret of an IAM user to mount an OBS volume. Assume that a workload named obs-secret is created, the mount path in the container is /temp, and the IAM user has the CCE ReadOnlyAccess and Tenant Guest permissions.
  1. Query the name of the workload pod. 
    kubectl get pod | grep obs-secret

    Expected outputs:

    obs-secret-5cd558f76f-vxslv          1/1     Running   0          3m22s
  2. Query the objects in the mount path. In this example, the query is successful. 
    kubectl exec obs-secret-5cd558f76f-vxslv -- ls -l /temp/
  3. Write data into the mount path. In this example, the write operation failed. 
    kubectl exec obs-secret-5cd558f76f-vxslv -- touch /temp/test

    Expected outputs:

    touch: setting times of '/temp/test': No such file or directory
command terminated with exit code 1
  4. Set the read/write permissions for the IAM user who mounted the OBS volume by referring to the bucket policy configuration.

  5. Write data into the mount path again. In this example, the write operation succeeded. 
    kubectl exec obs-secret-5cd558f76f-vxslv -- touch /temp/test
  6. Check the mount path in the container to see whether the data is successfully written. 
    kubectl exec obs-secret-5cd558f76f-vxslv -- ls -l /temp/

    Expected outputs:

    -rwxrwxrwx 1 root root 0 Jun  7 01:52 test
Parent Topic: OBS