Connecting Azure Blob Storage

Commercial & Enterprise

Users with workspace manager permissions or higher can connect Azure Blob Storage containers to AI Hub.

About this connection

Review the following functionality, limitations, and other considerations when connecting an Azure Blob Storage container.

• Functionality — Connected Azure Blob Storage containers are supported for use as a source of input files, a destination for file output, and as an upstream or downstream integration in deployments. Azure Blob Storage containers can also be used as default drives.

• Authentication — AI Hub supports three authentication methods for Azure Blob Storage containers: connection strings, service principals, and managed identities.

• Supported content — Any supported file types.

Connecting Azure Blob Storage

You can connect your Azure Blob Storage container using the following authentication methods:

• Connection string

• Service principal

• Managed identity

Authenticating with a connection string

1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

2. Click Add data source, then select Azure Blob Storage.

3. Select an audience.

   • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

   • Organization members — Connect the drive at the organization level, making it available to all workspaces.

4. On the configuration screen, fill in your authentication and container details, then click Next.

5. Enter a display name for the drive. This name can’t be changed later.

6. Fill in your authentication and container details, then click Next.

   Setting	Required	Description
   Name your drive	Required	A display name for the connected drive. This name can’t be changed later.
   Container name	Required	The name of your Azure Blob Storage container.
   Auth method	Required	The authentication method to use when connecting to your storage.
   Connection string	Visible and required when Auth method is set to Connection string.	The connection string for your Azure storage account.

7. Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.

8. Click Done

Authenticating with a service principal

1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

2. Click Add data source, then select Azure Blob Storage.

3. Select an audience.

   • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

   • Organization members — Connect the drive at the organization level, making it available to all workspaces.

4. Enter a display name for the drive. This name can’t be changed later.

5. Fill in your authentication and container details, then click Next.

   Setting	Required	Description
   Container name	Required	The name of your Azure Blob Storage container.
   Auth method	Required	The authentication method to use when connecting to your storage.
   Service URL	Visible and required when Auth method is set to Service principal.	The endpoint for the Blob Service registered to the container’s storage account, such as https://<storage account>.blob.core.windows.net/.
   Tenant ID	Visible and required when Auth method is set to Service principal.	The tenant ID for the service principal.
   Client ID	Visible and required when Auth method is set to Service principal.	The client ID for the service principal.
   Client secret	Visible and required when Auth method is set to Service principal.	The client secret for the service principal.

6. Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.

7. Click Done

Authenticating with a managed identity

1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

2. Click Add data source, then select Azure Blob Storage.

3. Select an audience.

   • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

   • Organization members — Connect the drive at the organization level, making it available to all workspaces.

4. Enter a display name for the drive. This name can’t be changed later.

5. Select Managed identity as your authentication method.

6. Add a new managed identity or select a previously added managed identity, then click Next.

   Adding a managed identity

   1. Click the + icon next to the managed identity selection dropdown.

   2. Using the provided configuration details, add a federated identity credential to the user-assigned managed identity. For guidance, see the Microsoft Entra Configure a user-assigned managed identity to trust an external identity provider documentation, following the Kubernetes accessing Azure resources scenario.

   3. Confirm the federated identity credential is added, then click Next.

   4. Identify the managed identity:

      • Managed identity display name: A display name for the managed identity. This value doesn’t need to correspond to any value in Microsoft Entra or Azure. Display names can’t be changed after saving.

      • Managed identity client ID: The client ID of the user-assigned managed identity. Listed on the managed identity Overview page.

      • Tenant ID: The tenant ID of the Microsoft Entra ID instance.

   5. Click Next.

7. On the configuration screen, fill in your container details, then click Next.

   Setting	Required	Description
   Storage account name	Required	The name of the Azure storage account where the container exists.
   Container name	Required	The name of your Azure Blob Storage container.
   Path to drive	Optional	A file path to a folder in the container where the desired input files are found. Leave empty to accept default (root).

8. Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.

9. Click Done

Managing managed identities

After adding a managed identity, it can be reused when adding other Azure Blob Storage containers. Managed identities added when connecting a workspace drive are reusable within the same workspace only. Roles added when connecting an organization drive are reusable across all workspaces.

Reusing managed identities

Previously connected managed identities display in a Managed identity selection dropdown when connecting Azure Blob Storage containers. When reusing a role, you don’t need to add a new federated identity credential as the trust relationship is already established.

Updating managed identities

AI Hub doesn’t support updating or changing the managed identity used for authentication. You can remove then reconnect the container with a new managed identity.

Deleting managed identities

When you delete a role, it can no longer be used for authentication. You can’t delete an IAM role that’s in use with a connected drive. If you want to continue using the connection with a different role, remove then reconnect the bucket with a new role.

1. In Workspaces, select a workspace, then select the Data tab.

2. Click Add data source, then select Azure Blob Storage.

3. Select an audience.

4. Select Managed identity as your authentication method.

5. Select the managed identity to delete, then click the delete icon .

6. Click Delete to confirm.

Updating a connection

Select configuration changes are supported.

• You can update the drive’s security credentials.

To change the authentication method, you must remove and reconnect the drive.

1. In Workspaces, select All workspaces, then select the Data tab.

2. Click the overflow icon of the drive to update, then select Modify configuration.

3. Make any changes, then click Update to confirm.

Removing a connection

You can remove a connected drive to disconnect it and revoke AI Hub’s access to its contents.

1. In Workspaces, select All workspaces, then select the Data tab.

2. Click the overflow icon of the drive to remove, then select Remove.

3. Type the confirmation text, then click Remove.