Azure Blob Storage
FlexFS supports Azure Blob Storage as a block store backend using the Azure SDK for Go. Authentication is handled via shared key credentials (storage account access key) or Azure Default Credentials (managed identity, environment variables, etc.).
Storage account
Section titled “Storage account”Create a storage account or use an existing one. FlexFS uses the Blob Storage service.
# Create a resource group (if needed)az group create --name flexfs-rg --location eastus
# Create a storage accountaz storage account create \ --name myflexfsblocks \ --resource-group flexfs-rg \ --location eastus \ --sku Standard_LRS \ --kind StorageV2Recommended settings
Section titled “Recommended settings”- Performance tier: Standard is sufficient for most workloads. Premium can be used for latency-sensitive deployments.
- Redundancy: LRS (Locally Redundant Storage) is the minimum. Choose based on your durability requirements.
- Public access: Disable blob public access. FlexFS authenticates all requests.
- Hierarchical namespace (Data Lake): Not required. FlexFS uses flat blob storage.
Container creation
Section titled “Container creation”Create a container within the storage account to hold flexFS blocks:
az storage container create \ --name flexfs-blocks \ --account-name myflexfsblocksAuthentication
Section titled “Authentication”Shared key credentials
Section titled “Shared key credentials”The simplest authentication method uses the storage account name and access key:
# Retrieve the access keyaz storage account keys list \ --account-name myflexfsblocks \ --resource-group flexfs-rg \ --query '[0].value' -o tsvWhen configuring the flexFS block store credentials:
- blockUser: The storage account name (e.g.
myflexfsblocks) - blockPass: The storage account access key
FlexFS constructs the blob endpoint URL automatically from the storage account name:
https://<blockUser>.blob.core.windows.net/Azure Default Credentials (managed identity)
Section titled “Azure Default Credentials (managed identity)”When blockPass is empty but blockUser is provided, flexFS uses the Azure Default Credentials chain. This supports:
- Managed Identity: On Azure VMs and Azure Kubernetes Service (AKS), a system-assigned or user-assigned managed identity can authenticate automatically.
- Environment variables:
AZURE_CLIENT_ID,AZURE_TENANT_ID, andAZURE_CLIENT_SECRETfor service principal authentication. - Azure CLI credentials: For local development via
az login.
To use managed identity on an Azure VM:
# Assign a system-managed identity to the VMaz vm identity assign \ --name my-vm \ --resource-group flexfs-rg
# Grant Storage Blob Data Contributor roleaz role assignment create \ --assignee <principal-id> \ --role "Storage Blob Data Contributor" \ --scope "/subscriptions/<sub-id>/resourceGroups/flexfs-rg/providers/Microsoft.Storage/storageAccounts/myflexfsblocks"Managed identity is the recommended authentication method for production deployments on Azure.
SAS tokens
Section titled “SAS tokens”Azure Shared Access Signatures (SAS) tokens can be used by generating a SAS URL and providing it via the endpoint configuration. However, the primary supported method is shared key or managed identity as described above.
Block store configuration
Section titled “Block store configuration”When creating a block store via configure.flexfs (Enterprise) or the installer, provide:
| Field | Value |
|---|---|
| Provider | azure |
| Region | Azure region (e.g. eastus) |
| API | azure |
| Bucket | Your container name (e.g. flexfs-blocks) |
| Prefix | Optional key prefix |
| Endpoint | Leave empty (constructed from blockUser) |
| blockUser | Storage account name (always required) |
| blockPass | Storage account access key (or leave empty for managed identity) |