search
githubEdit

microsoftConfigure Azure Blob delegated access

hashtag
What you will achieve

You will configure Azure Blob access for Flashback using Microsoft Entra ID + RBAC so you can avoid long-lived storage account keys where possible.

hashtag
Azure delegated access model (practical view)

For delegated access, assign data-plane RBAC roles to the Flashback Azure identity (guest user or service principal) at the right scope:

  • Storage account scope when access should apply to many containers.

  • Container scope when you want narrower least-privilege access.

circle-info

Use Entra ID + RBAC where possible. Account keys are broad, long-lived secrets and should be treated as fallback.

hashtag
Prerequisites

  • An Azure subscription.

  • A storage account and target container.

  • Permissions to assign RBAC roles (for example Owner or User Access Administrator at the target scope).

  • The Flashback Azure identity identifier (guest user object ID or service principal app/object ID).

    • If you do not have it, obtain it from Flashback support or from the Flashback UI/documentation available in your organization.

hashtag
Step-by-step (Azure Portal)

1

hashtag
Identify the target scope

Choose where to assign permissions:

  • Storage account: broader scope, easier operations.

  • Container: tighter least-privilege boundary (recommended when only specific containers are needed).

In Azure Portal, open your Storage Account, then either:

  • stay at storage account level, or

  • open Data storage → Containers → your-container for container-level scope.

2

hashtag
Add role assignment for Flashback identity

  1. Open Access control (IAM) on the selected scope.

  2. Click Add → Add role assignment.

  3. Select a minimum role based on required operations:

    • Storage Blob Data Reader (read-only)

    • Storage Blob Data Contributor (read/write/delete for blob data)

  4. Assign access to the Flashback Azure identity (guest user or service principal).

  5. Save the assignment.

circle-exclamation

Use the smallest role that satisfies your workflow. Avoid account-wide roles if container-level access is enough.

3

hashtag
(Optional) Review network restrictions

If your storage account uses firewalls, private endpoints, or restricted networks, ensure Flashback traffic can reach Azure Blob endpoints.

Delegated IAM permissions alone do not bypass network controls.

4

hashtag
Configure the bucket in Flashback

In Flashback, follow Configure a Bucket and select:

  • Storage Type: Azure Blob

  • Storage Account: your Azure storage account name

  • Container: your target container

  • Access Key: may be left blank for delegated guest access when supported by your product flow (as documented in the bucket configuration guide)

5

hashtag
Validate access

After saving, run a basic repository validation:

  • attach the bucket to a repository,

  • perform a simple read/write test according to your role,

  • verify expected success/failure behavior.

If your workspace has a dedicated validation flow, use that flow first.

hashtag
Troubleshooting

  • RBAC changes seem ignored: role propagation can take several minutes.

  • Wrong scope assigned: confirm the role is assigned at the correct container or storage-account scope.

  • Role mismatch: ensure you granted a data-plane blob role (for example Storage Blob Data Reader/Contributor), not only management-plane permissions.

  • Guest account restrictions: some tenants restrict B2B/guest permissions; verify tenant policies for external principals.

PreviousConfiguring GCS' external accessNextConfigure delegated access for AWS Bedrock

Last updated

Was this helpful?