# Azure Blob Storage
Azure Blob Storage (opens new window) enables you to create data lakes for analytics needs and provides storage for building powerful cloud-native and mobile apps.
Workato's Azure Blob Storage connector allows you to automate cloud storage tasks and build data pipelines that automatically pull or push data to Azure Blob Storage from various apps.
# API version
The Azure Blob Storage connector uses the Blob service REST API (opens new window).
# How to connect to Azure Blob Storage on Workato
You can connect to Azure Blob Storage on Workato by completing the following steps:
Create an Integration System User (ISU): Establish an ISU in your Microsoft Entra ID. This ensures that permissions are consistent and all operations are logged on a single account.
Choose an authentication type to establish a connection to Workato. Workato supports the following authentication methods:
Authorization Code Grant: Use this method for scenarios where Workato performs actions on behalf of a user, leveraging permissions granted to an ISU.
Client Credentials Grant: Use this method for service-to-service authentication. This grant type is only available to Tenant-specific connection account types in Workato.
Connect to Workato: Follow the setup process to connect Azure Blob Storage to Workato.
# How to create an Integration System User (ISU) for Workato in Microsoft Entra ID
We recommend using an ISU for integration with Workato. This ensures that permissions are consistent and all operations are logged on a single account. Complete the following steps to create an ISU in your Microsoft Entra ID:
PERMISSIONS
The ISU must have access solely to the storage account specified in your Workato connection.
Navigate to Microsoft Entra ID.
Access Microsoft Entra ID from your Azure portal
Select Add > User > Create new user.
Create a new user
Enter the Identity details for the ISU, such as the User principle name, Display name, and Password.
Provide details for the new user.
To create your ISU, select Review + create > Create.
# Set up an Authorization Code Grant connection for Azure Blob Storage on Workato
You can use an Authorization Code Grant connection type for scenarios where Workato performs actions on behalf of a user, leveraging permissions granted to an ISU. This setup is essential for using Azure Blob Storage's capabilities, including the new event webhook trigger. Complete the following steps to configure your Workato connection through the Azure portal, ensuring your ISU has the appropriate permissions and scopes:
In your Azure portal, navigate to Storage accounts.
Navigate to Storage accounts from your Azure portal
Select your Storage account.
Specify the Storage account to grant access to Workato
Navigate to the resource group within your Azure Blob Storage account.
Navigate to the resource group
Go to Access Control (IAM) within the resource group.
Navigate to Access Control (IAM)
Click Add > Add role assignment to begin assigning roles to the ISU.
Add a role assignment to the ISU
Provision the required roles for the ISU:
Storage Blob Data Contributor: Grants full read and write access to Azure Blob Storage.
Storage Blob Data Reader: Provides read-only access to Azure Blob Storage.
EventGrid Event Subscription Contributor: Enables the ISU to establish and manage event subscriptions within Azure Blob Storage, which is required for using the new event webhook trigger.
Ensure the Storage Data Contributor role is active for write access, public network access is available for Workato's IP, and the container access level is set to public.
Set up your Azure Blob Storage connection in Workato:
Navigate to Advanced settings > OAuth 2.0 authorization code scopes in your connection setup.
Add the Management scope to create webhooks dynamically through the EventGrid API (opens new window). If left blank, default scopes such as Offline_access, Storage, and Management are added.
Click Sign in with Microsoft and log in with your ISU credentials.
Grant the required permissions to complete the connection setup.
# Set up a Client Credentials Grant connection for Azure Blob Storage
You can establish a connection with Azure Blob Storage using the Client Credentials Grant for service-to-service authentication. Use this grant type for tenant-specific connection account types in Workato. Complete the following steps to setup a Client Credentials Grant connection in Azure Blob Storage:
Navigate to App registrations in your Azure portal and select New registration.
Go to App registrations in your Azure portal
Enter the Name of the application you plan to register.
Register an application
Choose the Supported account types that can use the application or access the API.
Optional. Add a Redirect URI link and enter a URI value. A value is required for most authentication scenarios.
Click Register to create the application and view the Overview page.
Record the Client ID and Tenant ID for connection setup in Workato.
Record IDs
Navigate to Manage > API permissions and select Add a permission.
Add a permission
Select permissions for Azure Storage and Azure Service Management on the Request API permissions page, including user_impersonation.
Click Add permissions to grant the permissions.
Grant permissions
Navigate to Certificates & secrets > Client secrets.
Navigate to Client secrets
Generate a New client secret and record its value.
Generate a client secrets
Ensure the Client secret is secure.
Assign the Storage Blob Data Contributor and EventGrid Event Subscription Contributor roles to the application. This is required to enable full functionality with Azure Blob Storage actions, triggers, and the new event webhook trigger.
Set up your Azure Blob Storage connection in Workato.
Use the recorded Client ID, Tenant ID, and Client secret to establish a Client Credentials Grant connection.
# Create your Workato connection
Complete the following steps to connect your Workato instance to Azure Blob Storage:
Enter a Connection name that uniquely identifies the connection.
Provide the name of your Storage account from Azure Blob Storage.
Select the Connection account type:
Common: Supports personal, enterprise, and multi-tenant accounts that are not tenant-specific.
Organization: Supports multi-tenant enterprise accounts.
Tenant-specific: Requires you to provide the Tenant ID or Domain.
The default is set to the Common type.
Navigate to Advanced settings to manage additional configurations.
For an Authorization Code Grant connection, add necessary scopes in OAuth 2.0 authorization code scopes, including Management to create dynamic webhooks through the EventGrid API. If left blank, the Offline_access, Storage, and Management scopes are added.
For a Client Credentials Grant connection, add necessary scopes in OAuth 2.0 client credentials scopes, including Management to create dynamic webhooks through the EventGrid API. Ensure that the specified scopes are also defined in your Azure app registration. If left blank, the Storage and Management scopes are added.
Enter the Client ID from your Azure portal by navigating to App registrations > Application > Certificates & secrets.
Provide the Client secret from the same location.
Optional. Enter an Access key for pre-signed URL functionality.
Complete the connection setup by clicking Sign in with Microsoft and authorizing the necessary permissions.
Last updated: 5/23/2024, 4:56:16 AM