Azure Blob Storage connector for files
The Continuous Compliance Engine supports connecting to blobs (files and mainframe datasets) stored in Azure Storage with the Azure Blob Storage cloud connector.
Configuring an Azure Blob Storage Connector
connectorName: Specifies the name of the connector.
environmentId: Indicates the identifier of the environment where the connector will be configured.
fileType: Denotes the type of files to be managed by the connector.
connectionInfo: This section contains details necessary for establishing a connection to the Azure Blob Storage service.
connectionMode: Specifies the mode of connection, which is set to "AZURE_BLOB_STORAGE" indicating that it connects to an Azure Blob Storage.
prefix: Indicates the prefix to filter blobs within the Azure Blob Storage container.
delimiter: Indicates the delimiter to filter blobs within the Azure Blob Storage container.
accountName: Specifies the account name for the Azure blob storage account.
containerName: Specifies the name of the container within the Azure storage account.
authType: The Continuous Compliance Engine offers support for connecting to Azure Blob Storage through two authentication methods: Azure access key-based authentication (AZURE_SECRET) and Azure Identity-based authentication (AZURE_MANAGED_IDENTITY).
Access key based authentication requires:
accessKey: Azure Account shared access key to authenticate.
Note: We do not validate the Prefix and Delimiter fields during the "Test Connection" process for the Azure file connector. These fields are only utilized while listing the files associated with the connector.
For more information related to prefix and delimiter, please refer to the Azure List Blobs Rest API.
Sample payloads
Azure Secret
To connect to Azure using AZURE_SECRET authentication, Continuous Compliance requires a shared access key for authentication.
{
"connectorName": "AZURE_DELIMITED_SECRET",
"environmentId": 1,
"fileType": "DELIMITED",
"connectionInfo": {
"connectionMode": "AZURE_BLOB_STORAGE",
"azureBlobStorageDetails": {
"accessKey": "<Your shared account access key>",
"accountName": "maskingtest",
"authType": "AZURE_SECRET",
"containerName": "test-container",
"delimiter": "/",
"prefix": "delimited/"
}
}
}Azure Managed Identity
To establish secure communication between a masking engine hosted on Azure cloud and Azure Blob Storage, we utilize Azure identity-based authentication. This method removes the need for static access keys, enhancing security by dynamically generating temporary credential tokens. For more details about azure identity-bases authentication, Please refer to the Azure Identity
{
"connectorName": "AZURE_DELIMITED_IDENTITY",
"environmentId": 1,
"fileType": "DELIMITED",
"connectionInfo": {
"connectionMode": "AZURE_BLOB_STORAGE",
"azureBlobStorageDetails": {
"accountName": "maskingtest",
"authType": "AZURE_MANAGED_IDENTITY",
"containerName": "test-container",
"delimiter": "/",
"prefix": "delimited/"
}
}
}
We use the following APIs to connect to Azure Blobs. Please ensure that the access key or identity used for authentication has the necessary permissions for these APIs.
Container APIs
List Containers
Get Container Properties
List Blobs
Blob APIs
Delete Blob
Get Blob Properties
Get Blob
Copy Blob
Abort Copy blob
Put Blob
Block Blob APIs
Get Block List
Put Block
Put Block List
Limitations
Azure Managed Identity-based connectivity is limited to Continuous Compliance instances hosted within the Azure cloud. Any attempts to connect from outside the Azure environment using this method will result in connection failures.
User-assigned managed identity is not supported. We only support System-assigned managed identity.