tryretool · JatinNanda · Jun 23, 2026
diff --git a/charts/retool/Chart.yaml b/charts/retool/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: retool
 description: A Helm chart for Kubernetes
 type: application
-version: 6.11.5
+version: 6.11.6
 maintainers:
   - name: Retool Engineering
     email: engineering+helm@retool.com

diff --git a/charts/retool/templates/_helpers.tpl b/charts/retool/templates/_helpers.tpl
@@ -975,6 +975,9 @@ directly via environmentVariables / environmentSecrets).
 {{- else if $bs.azure.connectionString }}
 - name: RR_DEFAULT_AZURE_CONNECTION_STRING
   value: {{ $bs.azure.connectionString | quote }}
+{{- else if $bs.azure.accountUrl }}
+- name: RR_DEFAULT_AZURE_ACCOUNT_URL
+  value: {{ $bs.azure.accountUrl | quote }}
 {{- end }}
 {{- end }}
 {{- if .Values.rr.gitServer.repackThreshold }}

diff --git a/charts/retool/values.yaml b/charts/retool/values.yaml
@@ -1211,11 +1211,23 @@ rr:
   # This block can be omitted entirely if RR_BLOB_STORAGE_PROVIDER and the
   # RR_DEFAULT_*_* env vars are provided directly via environmentVariables /
   # environmentSecrets above — the chart detects that and skips this guard.
+  #
+  # Keyless auth: each provider can authenticate as the pod's own identity
+  # instead of a static credential. Leave the credential field unset and set
+  # serviceAccount.annotations so the pod carries the right identity:
+  #   - s3:    omit accessKeyId/secret -> AWS default chain (EKS IRSA via the
+  #            eks.amazonaws.com/role-arn annotation, instance profile, ECS role)
+  #   - gcs:   omit credentials -> Application Default Credentials (GKE Workload
+  #            Identity via the iam.gke.io/gcp-service-account annotation)
+  #   - azure: set accountUrl instead of a connection string -> managed identity
+  #            (azure.workload.identity/client-id annotation + the
+  #            azure.workload.identity/use: "true" pod label)
   blobStorage: {}
     # s3:
     #   bucket: my-rr-bucket
     #   region: us-east-1
     #   endpoint: ""                              # optional, for S3-compatible (MinIO, R2, etc.)
+    #   # Omit accessKeyId + secret to use the AWS default credential chain (IAM role / IRSA).
     #   accessKeyId: AKIA...
     #   # Provide secretAccessKey OR the secretName/secretKey pair below.
     #   secretAccessKey: ""
@@ -1224,17 +1236,19 @@ rr:
     #
     # gcs:
     #   bucket: my-rr-bucket
-    #   # Provide credentials (JSON string) OR the secretName/secretKey pair below.
+    #   # Omit credentials to use Application Default Credentials (Workload Identity).
     #   credentials: ""
     #   credentialsSecretName: ""
     #   credentialsSecretKey: credentials.json
     #
     # azure:
     #   container: my-rr-container
-    #   # Provide connectionString OR the secretName/secretKey pair below.
+    #   # Provide connectionString OR the secretName/secretKey pair below, OR set
+    #   # accountUrl on its own to authenticate via managed identity.
     #   connectionString: ""
     #   connectionStringSecretName: ""
     #   connectionStringSecretKey: connection-string
+    #   accountUrl: ""                            # e.g. https://<account>.blob.core.windows.net
 
 agents:
   # Enable AI Agents