Azure Blob Connector
The C3 Agentic AI Platform has a built-in connector for integrating with Azure Blob. To integrate with a new Azure Blob storage account container, you must:
- If they do not already exist, create a storage account and container in Azure with the appropriate storage account access policies.
- Create a mount path for the Azure Blob storage account container in the C3 Agentic AI Platform, if it does not already exist.
- Set the required credentials to access the contents of the storage account.
- Validate the connection.
Create an Azure Blob storage account
Before connecting to an Azure Blob storage account, create a storage account and container in Azure. For more information on creating a storage account with Azure, see Create a storage account in the Microsoft Azure documentation. For more information on creating a container with Azure, see Create a container in the Microsoft Azure documentation.
To access the storage account from the C3 Agentic AI Platform, you must make sure that you have an account access key or secure access signature token to authorize the connection. For more information on access keys, see Manage storage account access keys in the Microsoft Azure documentation.
Minimum permissions needed for read-only access
Ensure that READ and LIST permissions are granted on the SAS token or access key. These permissions allow the user to read files and list the contents of the storage.
For more information on how to grant permissions in Azure, refer to the Azure Identity and Access Management (IAM) documentation.
Platform configurations
After you create the container and configure the appropriate access control policies on Azure, apply the following configurations on the C3 Agentic AI Platform side.
Enable the file system
Run the following to enable the Azure remote file system:
FileSystem.azure().enable();For more information on enabling remote file systems on the C3 Agentic AI Platform, see Work With File Systems.
Create the file system mount
Use the following to add a new file system mount path for Azure:
var mountName = "<mount_name>";
var containerName = "<azure_container_name>";
FileSystem.azure().setMount(mountName, "azure://" + containerName, ConfigOverride.APP);Set credentials for the Azure Blob storage account container
When setting the credentials to access the contents of the Azure Blob storage account container, one option is to use an account access key:
var subscriptionId = "<your_subscription_id>";
var accountName = "<your_storage_account_name>";
var containerName = "<your_container_name>";
var accessKey = "<your_access_key>";
var region = "<your_storage_account_region>";
var storageCredentials = AzureStorageCredentials.make({
accountName: accountName,
accessKey: accessKey,
});
var credentials = AzureCredentials.make({
accountId: subscriptionId,
region: region,
storageCredentials: storageCredentials,
});
AzureBlobContainer.setCredentialsForResourceName(
containerName,
credentials,
ConfigOverride.APP
);Another option is to use a secure access signature token:
var subscriptionId = "<your_subscription_id>";
var accountName = "<your_storage_account_name>";
var containerName = "<your_container_name>";
var sasToken = "<your_sas_token>";
var region = "<your_storage_account_region>";
var storageCredentials = AzureStorageCredentials.make({
accountName: accountName,
sasToken: sasToken,
});
var credentials = AzureCredentials.make({
accountId: subscriptionId,
region: region,
storageCredentials: storageCredentials,
});
AzureBlobContainer.setCredentialsForResourceName(
containerName,
credentials,
ConfigOverride.APP
);The last option is to copy the credential that is being used to authorize another Azure Blob storage account container, provided that the C3 Agentic AI Platform is already connected to an existing Azure Blob container in the same storage account.
This only works when securing requests with the account access key:
var otherContainerName = "<name_of_the_existing_container>";
var containerName = "<your_container_name>";
var credentials = AzureCredentials.make(
AzureBlobContainer.forResourceName(otherContainerName).credentials
);
AzureBlobContainer.setCredentialsForResourceName(
containerName,
credentials,
ConfigOverride.APP
);To minimize security risk vectors, you should consider using a least-privileges approach when establishing IAM roles and setting credentials, especially in production environments.
Validate the connection
After you apply the required configurations, you can validate that the Azure Blob storage account container has been correctly integrated by listing the files in the container:
var mountName = "<mount_name>";
FileSystem.azure().listFiles(FileSystem.azure().urlFromMount(mountName));This request succeeds if the configuration has been correctly applied, even if there are no files in the container.
Clear credentials
To clear credentials for an Azure Blob storage account container and delete the associated mount path, you can run the following:
var containerName = "<your_container_name>";
var mountName = "<mount_name>";
AzureBlobContainer.forResourceName(containerName).clearConfigAndSecretAllOverrides();
FileSystem.azure().removeMount(mountName, ConfigOverride.APP);Configure Service Principal Authentication for ADLS
Azure Data Lake Storage (ADLS) can be configured using Azure Active Directory Service Principal (SP) authentication. This method allows C3 to authenticate using an Azure application identity instead of a shared storage account key.
Service Principal authentication is recommended for enterprise environments because it supports Azure RBAC, enables granular permission control, and avoids distributing long‑lived storage account keys.
Before you begin
Ensure the following prerequisites are met:
- An existing ADLS Gen2 storage account
- A container created within the storage account
- Permissions to create Azure AD App Registrations
- RBAC permissions to assign roles on the storage account
Step 1: Create a Service Principal in Azure
- In the Azure Portal, navigate to:
Azure Active Directory → App registrations - Click New registration and create a new application.
- After creation, open the application’s Overview page.
- Record the following values:
- Application (client) ID
- Directory (tenant) ID
These values are required when configuring credentials in C3.
Step 2: Create a Client Secret
- Within the App Registration, navigate to
Certificates & secrets. - Select Client secrets.
- Click New client secret to generate a new secret.
- After creation, copy the Value immediately.
Important:
The client secret value is only visible once.
Make sure to store it securely before leaving the page.
Step 3: Grant the Service Principal Access to ADLS
Assign the appropriate Azure RBAC role to the Service Principal on the ADLS Gen2 storage account or container.
In most Data Fusion ingestion scenarios, the recommended baseline role is:
- Storage Blob Data Contributor – Provides read/write access to containers and blobs. This is typically sufficient for ingestion, file listing, and folder creation scenarios.
If your use case requires stricter or broader access, refer to Azure’s official RBAC documentation to select the appropriate permission level.
Important:
Assign the role at the correct scope (either the storage account or the container).
Incorrect scope assignment can prevent the Service Principal from accessing required file paths.
Step 4: Configure the Mount in C3
Define the ADLS mount path:
c3.FileSystem.azure().setMount(
"adlsbucketdz",
"azure://adlsbucketdz/",
c3.ConfigOverride.APP
);Where:
- "adlsbucketdz" — the logical name of the mount
- "azure://adlsbucketdz/" — the ADLS storage account root URL
Step 5: Configure Azure Storage Credentials
Create the storage credential reference: JavaScriptcreds = c3.AzureStorageCredentials.make() .withAccountName("adlsbucketdz");Show more lines
creds = c3.AzureStorageCredentials.make()
.withAccountName("adlsbucketdz");Note: AccountName must match the actual ADLS storage account name.
Step 6: Configure AzureCredentials Using the Service Principal
Create credentials using the Azure AD Service Principal values:
credentials = c3.AzureCredentials.make()
.withActiveDirectoryId("<DirectoryTenantId>")
.withAccessKey("<ApplicationClientId>")
.withSecretKey("<ClientSecretValue>")
.withStorageCredentials(creds);Replace:
- <DirectoryTenantId> → Azure AD Directory (Tenant) ID
- <ApplicationClientId> → Azure AD Application (Client) ID
- <ClientSecretValue> → The Client Secret created in Step 2
Field Mapping
The following table maps C3 credential fields to their corresponding Azure AD and ADLS values:
| C3 Field | Azure Value |
|---|---|
| AccountName | ADLS storage account name |
| ActiveDirectoryId | Directory (tenant) ID |
| AccessKey | Application (client) ID |
| SecretKey | Client secret (Value field) |
Note:
In this configuration, AccessKey refers to the Azure Application (Client) ID, not a storage account access key.
Note on Secret Handling
When you provide the Client Secret in the configuration—whether through the UI or via a credentials object—the platform automatically stores the secret securely in Vault.
No additional setup or manual Vault configuration is required.
This ensures that:
- Secrets are never stored in plain text
- Credentials are protected using the platform’s built‑in security model
- Users do not need to interact with Vault directly for this workflow
If the Client Secret is regenerated or rotated in Azure, simply update the value in the configuration.
The platform will securely store the new secret automatically.
Step 7: Attach Credentials to the FileSourceSystem
Bind the credentials to the ADLS FileSourceSystem:
c3.FileSourceSystem.forName("adlsbucketdz")
.setCredentials(credentials);Step 8: Validate the Configuration
After configuring the credentials:
- Associate the credentials with your
FileSourceSystemor any Azure‑based Source System. - Test connectivity to ensure the Service Principal can successfully access ADLS.
Verify connectivity by listing files:
c3.FileSystem.azure().listFiles("azure://adlsbucketdz/test.json");If the file listing succeeds, the Service Principal authentication is correctly configured and Data Fusion can access the ADLS path.
Authentication Behavior
When using Service Principal authentication:
- Authentication is performed through Azure Active Directory (AAD).
- Authorization is controlled by Azure RBAC roles assigned on the storage account or container.
- No storage account access keys are required.
- Credentials are scoped only to the configured
FileSourceSystem, ensuring controlled and limited access.
Security Considerations
- Store the client secret securely (for example, in Vault, if supported by your deployment).
- Avoid embedding secrets directly in application code or configuration files in production environments.
- Rotate client secrets periodically according to your organization’s security policies.
- Update the configuration anytime the client secret is regenerated; the platform will securely store the new version automatically.