Connecting Azure Blob Storage
Users with workspace manager permissions or higher can connect Azure Blob Storage containers to AI Hub.
About this connection
Review the following functionality, limitations, and other considerations when connecting an Azure Blob Storage container.
-
Functionality — Connected Azure Blob Storage containers are supported for use as a source of input files, a destination for file output, and as an upstream or downstream integration in deployments. Azure Blob Storage containers can also be used as default drives.
-
Authentication — AI Hub supports three authentication methods for Azure Blob Storage containers: connection strings, service principals, and managed identities.
-
Supported content — Any supported file types.
Connecting Azure Blob Storage
You can connect your Azure Blob Storage container using the following authentication methods:
Authenticating with a connection string
-
In Workspaces, select a workspace to connect the drive to, then select the Data tab.
-
Click Add data source, then select Azure Blob Storage.
-
Select an audience.
-
Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.
-
Organization members — Connect the drive at the organization level, making it available to all workspaces.
-
-
On the configuration screen, fill in your authentication and container details, then click Next.
-
Enter a display name for the drive. This name can’t be changed later.
-
Fill in your authentication and container details, then click Next.
-
Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.
-
Click Done
Authenticating with a service principal
Before you begin
The service principal must have the required permissions to access and perform file operations on your storage container. Assign the Storage Blob Data Contributor role.
-
In Workspaces, select a workspace to connect the drive to, then select the Data tab.
-
Click Add data source, then select Azure Blob Storage.
-
Select an audience.
-
Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.
-
Organization members — Connect the drive at the organization level, making it available to all workspaces.
-
-
Enter a display name for the drive. This name can’t be changed later.
-
Fill in your authentication and container details, then click Next.
-
Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.
-
Click Done
Authenticating with a managed identity
Before you begin
To authenticate with a managed identity, ensure you’ve completed the following. AI Hub assumes you’ve created a managed identity with the required access permissions, and focuses on providing the necessary information to create a federated identity credential.
-
Create a user-assigned managed identity to which the federated identity credential can be added. For guidance, see the Microsoft Entra Manage user-assigned managed identities documentation.
-
Ensure the managed identity has access to your storage container by assigning the managed identity the Storage Blob Data Contributor role. For guidance, see the Microsoft Entra Assign Azure roles using the Azure portal documentation.
-
In Workspaces, select a workspace to connect the drive to, then select the Data tab.
-
Click Add data source, then select Azure Blob Storage.
-
Select an audience.
-
Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.
-
Organization members — Connect the drive at the organization level, making it available to all workspaces.
-
-
Enter a display name for the drive. This name can’t be changed later.
-
Select Managed identity as your authentication method.
-
Add a new managed identity or select a previously added managed identity, then click Next.
Adding a managed identity
-
Click the + icon next to the managed identity selection dropdown.
-
Using the provided configuration details, add a federated identity credential to the user-assigned managed identity. For guidance, see the Microsoft Entra Configure a user-assigned managed identity to trust an external identity provider documentation, following the Kubernetes accessing Azure resources scenario.
-
Confirm the federated identity credential is added, then click Next.
-
Identify the managed identity:
-
Managed identity display name: A display name for the managed identity. This value doesn’t need to correspond to any value in Microsoft Entra or Azure. Display names can’t be changed after saving.
-
Managed identity client ID: The client ID of the user-assigned managed identity. Listed on the managed identity Overview page.
-
Tenant ID: The tenant ID of the Microsoft Entra ID instance.
-
-
Click Next.
-
-
On the configuration screen, fill in your container details, then click Next.
-
Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.
-
Click Done
Managing managed identities
After adding a managed identity, it can be reused when adding other Azure Blob Storage containers. Managed identities added when connecting a workspace drive are reusable within the same workspace only. Roles added when connecting an organization drive are reusable across all workspaces.
Reusing managed identities
Previously connected managed identities display in a Managed identity selection dropdown when connecting Azure Blob Storage containers. When reusing a role, you don’t need to add a new federated identity credential as the trust relationship is already established.
Updating managed identities
AI Hub doesn’t support updating or changing the managed identity used for authentication. You can remove then reconnect the container with a new managed identity.
Deleting managed identities
When you delete a role, it can no longer be used for authentication. You can’t delete an IAM role that’s in use with a connected drive. If you want to continue using the connection with a different role, remove then reconnect the bucket with a new role.
-
In Workspaces, select a workspace, then select the Data tab.
-
Click Add data source, then select Azure Blob Storage.
-
Select an audience.
-
Select Managed identity as your authentication method.
-
Select the managed identity to delete, then click the delete icon
. -
Click Delete to confirm.
Updating a connection
Select configuration changes are supported.
- You can update the drive’s security credentials.
To change the authentication method, you must remove and reconnect the drive.
-
In Workspaces, select All workspaces, then select the Data tab.
-
Click the overflow icon
of the drive to update, then select Modify configuration. -
Make any changes, then click Update to confirm.
Removing a connection
You can remove a connected drive to disconnect it and revoke AI Hub’s access to its contents.
Before you begin
Review the following limitations:
-
Removing a drive completely disconnects the drive from AI Hub. Any processed AI Hub files stored on the drive aren’t deleted, but AI Hub loses the ability to reference those files in the future. While you can later reconnect the drive, doing so doesn’t restore the ability to reference files previously saved to the drive. To reference such files, you must re-upload them.
-
Default drives can’t be removed. For guidance on changing default drives, see Managing default drives
-
In Workspaces, select All workspaces, then select the Data tab.
-
Click the overflow icon
of the drive to remove, then select Remove. -
Type the confirmation text, then click Remove.