docs/content/storage-drivers/azure.md
An implementation of the storagedriver.StorageDriver interface which uses Microsoft Azure Blob Storage for object storage.
| Parameter | Required | Description |
|---|---|---|
accountname | yes | Name of the Azure Storage Account. |
accountkey | yes | Primary or Secondary Key for the Storage Account. |
container | yes | Name of the Azure root storage container in which all registry data is stored. Must comply the storage container name requirements. For example, if your url is https://myaccount.blob.core.windows.net/myblob use the container value of myblob. |
credentials | yes | Azure credentials used to authenticate with Azure blob storage. |
rootdirectory | no | This is a prefix that is applied to all Azure keys to allow you to segment data in your container if necessary. |
realm | no | Domain name suffix for the Storage Service API endpoint. For example realm for "Azure in China" would be core.chinacloudapi.cn and realm for "Azure Government" would be core.usgovcloudapi.net. By default, this is core.windows.net. |
max_retries | no | Max retries for driver operation status. Retries use a simple backoff algorithm where each retry number is multiplied by retry_delay, and this number is used as the delay. Set to -1 to disable retries and abort if the copy does not complete immediately. Defaults to 5. |
retry_delay | no | Time to wait between retries for driver operation status. This time is multiplied by N on each retry, where N is the retry number. Defaults to 100ms |
| Parameter | Required | Description |
|---|---|---|
type | yes | Azure credentials used to authenticate with Azure blob storage (client_secret, shared_key, default_credentials). |
clientid | no | The unique application ID of this application in your directory. Required if not using Workload Identity. |
tenantid | no | Azure Active Directory’s global unique identifier. Required if not using Workload Identity. |
secret | no | A secret string that the application uses to prove its identity when requesting a token. Required if not using Workload Identity. |
client_secret: used for token authenticationshared_key: used for shared key credentials authentication (read more here)default_credentials: default Azure credential authentication (supports workload identity in AKS)To use managed identity to access Azure blob storage you can use Microsoft Bicep.
The following configures credentials that the Azure storage driver will use to construct AZ Identity to access the blob storage:
properties: {
azure: {
accountname: accountname
container: containername
credentials: {
type: default
}
}
}
If running in an AKS cluster with Azure workload identity, use the default_credentials type. There's no need to set the other credentials fields. The service account will need at least Storage Blob Data Contributor role on the storage account to read and write to it.