Connecting Azure Blob Storage

Commercial & Enterprise

Users with workspace manager permissions or higher can connect Azure Blob Storage containers to AI Hub.

About this connection

Review the following functionality, limitations, and other considerations when connecting an Azure Blob Storage container.

  • Functionality — Connected Azure Blob Storage containers are supported for use as a source of input files, a destination for file output, and as an upstream or downstream integration in deployments. Azure Blob Storage containers can also be used as default drives.

  • Authentication — AI Hub supports three authentication methods for Azure Blob Storage containers: connection strings, service principals, and managed identities.

  • Supported content — Any supported file types.

Connecting Azure Blob Storage

You can connect your Azure Blob Storage container using the following authentication methods:

Authenticating with a connection string

  1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

  2. Click Add data source, then select Azure Blob Storage.

  3. Select an audience.

    • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

    • Organization members — Connect the drive at the organization level, making it available to all workspaces.

  4. On the configuration screen, fill in your authentication and container details, then click Next.

  5. Enter a display name for the drive. This name can’t be changed later.

  6. Fill in your authentication and container details, then click Next.

    SettingRequiredDescription
    Name your driveRequiredA display name for the connected drive. This name can’t be changed later.
    Container nameRequiredThe name of your Azure Blob Storage container.
    Auth methodRequiredThe authentication method to use when connecting to your storage.
    Connection stringVisible and required when Auth method is set to Connection string.The connection string for your Azure storage account.
  7. Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.

  8. Click Done

Authenticating with a service principal

Before you begin

The service principal must have the required permissions to access and perform file operations on your storage container. Assign the Storage Blob Data Contributor role.

  1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

  2. Click Add data source, then select Azure Blob Storage.

  3. Select an audience.

    • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

    • Organization members — Connect the drive at the organization level, making it available to all workspaces.

  4. Enter a display name for the drive. This name can’t be changed later.

  5. Fill in your authentication and container details, then click Next.

    SettingRequiredDescription
    Container nameRequiredThe name of your Azure Blob Storage container.
    Auth methodRequiredThe authentication method to use when connecting to your storage.
    Service URLVisible and required when Auth method is set to Service principal.The endpoint for the Blob Service registered to the container’s storage account, such as https://<storage account>.blob.core.windows.net/.
    Tenant IDVisible and required when Auth method is set to Service principal.The tenant ID for the service principal.
    Client IDVisible and required when Auth method is set to Service principal.The client ID for the service principal.
    Client secretVisible and required when Auth method is set to Service principal.The client secret for the service principal.
  6. Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.

  7. Click Done

Authenticating with a managed identity

Before you begin

To authenticate with a managed identity, ensure you’ve completed the following. AI Hub assumes you’ve created a managed identity with the required access permissions, and focuses on providing the necessary information to create a federated identity credential.

  1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

  2. Click Add data source, then select Azure Blob Storage.

  3. Select an audience.

    • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

    • Organization members — Connect the drive at the organization level, making it available to all workspaces.

  4. Enter a display name for the drive. This name can’t be changed later.

  5. Select Managed identity as your authentication method.

  6. Add a new managed identity or select a previously added managed identity, then click Next.

    1. Click the + icon next to the managed identity selection dropdown.

    2. Using the provided configuration details, add a federated identity credential to the user-assigned managed identity. For guidance, see the Microsoft Entra Configure a user-assigned managed identity to trust an external identity provider documentation, following the Kubernetes accessing Azure resources scenario.

    3. Confirm the federated identity credential is added, then click Next.

    4. Identify the managed identity:

      • Managed identity display name: A display name for the managed identity. This value doesn’t need to correspond to any value in Microsoft Entra or Azure. Display names can’t be changed after saving.

      • Managed identity client ID: The client ID of the user-assigned managed identity. Listed on the managed identity Overview page.

      • Tenant ID: The tenant ID of the Microsoft Entra ID instance.

    5. Click Next.

  7. On the configuration screen, fill in your container details, then click Next.

    SettingRequiredDescription
    Storage account nameRequiredThe name of the Azure storage account where the container exists.
    Container nameRequiredThe name of your Azure Blob Storage container.
    Path to driveOptionalA file path to a folder in the container where the desired input files are found. Leave empty to accept default (root).
  8. Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.

  9. Click Done

Managing managed identities

After adding a managed identity, it can be reused when adding other Azure Blob Storage containers. Managed identities added when connecting a workspace drive are reusable within the same workspace only. Roles added when connecting an organization drive are reusable across all workspaces.

Reusing managed identities

Previously connected managed identities display in a Managed identity selection dropdown when connecting Azure Blob Storage containers. When reusing a role, you don’t need to add a new federated identity credential as the trust relationship is already established.

Updating managed identities

AI Hub doesn’t support updating or changing the managed identity used for authentication. You can remove then reconnect the container with a new managed identity.

Deleting managed identities

When you delete a role, it can no longer be used for authentication. You can’t delete an IAM role that’s in use with a connected drive. If you want to continue using the connection with a different role, remove then reconnect the bucket with a new role.

  1. In Workspaces, select a workspace, then select the Data tab.

  2. Click Add data source, then select Azure Blob Storage.

  3. Select an audience.

  4. Select Managed identity as your authentication method.

  5. Select the managed identity to delete, then click the delete icon Icon of a trash can..

  6. Click Delete to confirm.

Updating a connection

Select configuration changes are supported.

  • You can update the drive’s security credentials.

To change the authentication method, you must remove and reconnect the drive.

  1. In Workspaces, select All workspaces, then select the Data tab.

  2. Click the overflow icon Icon with three stacked vertical dots. of the drive to update, then select Modify configuration.

  3. Make any changes, then click Update to confirm.

Removing a connection

You can remove a connected drive to disconnect it and revoke AI Hub’s access to its contents.

Before you begin

Review the following limitations:

  • Removing a drive completely disconnects the drive from AI Hub. Any processed AI Hub files stored on the drive aren’t deleted, but AI Hub loses the ability to reference those files in the future. While you can later reconnect the drive, doing so doesn’t restore the ability to reference files previously saved to the drive. To reference such files, you must re-upload them.

  • Default drives can’t be removed. For guidance on changing default drives, see Managing default drives

  1. In Workspaces, select All workspaces, then select the Data tab.

  2. Click the overflow icon Icon with three stacked vertical dots. of the drive to remove, then select Remove.

  3. Type the confirmation text, then click Remove.