Azure Blob Connector
The C3 Agentic AI Platform has a built-in connector for integrating with Azure Blob. To integrate with a new Azure Blob storage account container, you must:
- If they do not already exist, create a storage account and container in Azure with the appropriate storage account access policies.
- Create a mount path for the Azure Blob storage account container in the C3 Agentic AI Platform, if it does not already exist.
- Set the required credentials to access the contents of the storage account.
- Validate the connection.
Create an Azure Blob storage account
Before connecting to an Azure Blob storage account, create a storage account and container in Azure. For more information on creating a storage account with Azure, see Create a storage account in the Microsoft Azure documentation. For more information on creating a container with Azure, see Create a container in the Microsoft Azure documentation.
To access the storage account from the C3 Agentic AI Platform, you must make sure that you have an account access key or secure access signature token to authorize the connection. For more information on access keys, see Manage storage account access keys in the Microsoft Azure documentation.
Minimum permissions needed for read-only access
Ensure that READ and LIST permissions are granted on the SAS token or access key. These permissions allow the user to read files and list the contents of the storage.
For more information on how to grant permissions in Azure, refer to the Azure Identity and Access Management (IAM) documentation.
Platform configurations
After you create the container and configure the appropriate access control policies on Azure, apply the following configurations on the C3 Agentic AI Platform side.
Enable the file system
Run the following to enable the Azure remote file system:
FileSystem.azure().enable();For more information on enabling remote file systems on the C3 Agentic AI Platform, see Work With File Systems.
Create the file system mount
Use the following to add a new file system mount path for Azure:
var mountName = "<mount_name>";
var containerName = "<azure_container_name>";
FileSystem.azure().setMount(mountName, "azure://" + containerName, ConfigOverride.APP);Set credentials for the Azure Blob storage account container
When setting the credentials to access the contents of the Azure Blob storage account container, one option is to use an account access key:
var subscriptionId = "<your_subscription_id>";
var accountName = "<your_storage_account_name>";
var containerName = "<your_container_name>";
var accessKey = "<your_access_key>";
var region = "<your_storage_account_region>";
var storageCredentials = AzureStorageCredentials.make({
accountName: accountName,
accessKey: accessKey,
});
var credentials = AzureCredentials.make({
accountId: subscriptionId,
region: region,
storageCredentials: storageCredentials,
});
AzureBlobContainer.setCredentialsForResourceName(
containerName,
credentials,
ConfigOverride.APP
);Another option is to use a secure access signature token:
var subscriptionId = "<your_subscription_id>";
var accountName = "<your_storage_account_name>";
var containerName = "<your_container_name>";
var sasToken = "<your_sas_token>";
var region = "<your_storage_account_region>";
var storageCredentials = AzureStorageCredentials.make({
accountName: accountName,
sasToken: sasToken,
});
var credentials = AzureCredentials.make({
accountId: subscriptionId,
region: region,
storageCredentials: storageCredentials,
});
AzureBlobContainer.setCredentialsForResourceName(
containerName,
credentials,
ConfigOverride.APP
);The last option is to copy the credential that is being used to authorize another Azure Blob storage account container, provided that the C3 Agentic AI Platform is already connected to an existing Azure Blob container in the same storage account.
This only works when securing requests with the account access key:
var otherContainerName = "<name_of_the_existing_container>";
var containerName = "<your_container_name>";
var credentials = AzureCredentials.make(
AzureBlobContainer.forResourceName(otherContainerName).credentials
);
AzureBlobContainer.setCredentialsForResourceName(
containerName,
credentials,
ConfigOverride.APP
);To minimize security risk vectors, you should consider using a least-privileges approach when establishing IAM roles and setting credentials, especially in production environments.
Validate the connection
After you apply the required configurations, you can validate that the Azure Blob storage account container has been correctly integrated by listing the files in the container:
var mountName = "<mount_name>";
FileSystem.azure().listFiles(FileSystem.azure().urlFromMount(mountName));This request succeeds if the configuration has been correctly applied, even if there are no files in the container.
Clear credentials
To clear credentials for an Azure Blob storage account container and delete the associated mount path, you can run the following:
var containerName = "<your_container_name>";
var mountName = "<mount_name>";
AzureBlobContainer.forResourceName(containerName).clearConfigAndSecretAllOverrides();
FileSystem.azure().removeMount(mountName, ConfigOverride.APP);