Azure blob

Suggest Edits

There are three parts to integrating Azure with Encord:

  1. Creating the integration with the Encord platform. Strict client-only access can also be added in this step if necessary.

  2. Authenticating your storage account for integration on the Azure platform.

ℹ️

Note

Ensure that all objects in your Azure Blob have the Hot Tier access tier.

  1. Setting up Cross-Origin Resource Sharing (CORS) on Azure.

1. Creating the integration

In Encord, navigate to the Integrations section and click the Add integration button.

Navigate to the Azure tab and type the name of the storage account you registered in step 1 of the integration into the first dropdown in the Azure integrations window, as shown below.

Select your preferred method of authentication in the second dropdown of the Azure integrations window.

Optionally check the box to enable Strict client-only access, server-side media features will not be available if you would like Encord to sign URLs, but refrain from downloading any media files onto Encord servers. Read more about this feature here.

2. Authenticating Azure

You can authenticate Azure in two different ways:

  1. Generating an account-level shared access signature (SAS).

  2. Using a service principal.

ℹ️

Note

Using a service principal to authenticate requires admin privileges for the Azure account.

Method 1: Generating an account-level SAS

  1. In Azure, navigate to Storage Accounts under Azure services and select the storage account you wish to integrate.
  1. Next, click on Shared access signature in the Security + networking section.
  1. You must check the Container and Object checkboxes under the Allowed resource types heading. Ensure you add the necessary permissions:
  • Read (required)
  • List (required)
  • Write (recommended)
  • Add (recommended)
  • Create (recommended)

ℹ️

Note

recommended permissions are necessary to use some of our more advanced features such as re-encoding data, and image sequences.

  1. Click Generate SAS and connection string when you are ready to generate your account-level SAS token.

🚧

Caution

Your SAS token has a start and end date that can be adjusted, and it will only be valid for the specified time period. Expired tokens must be updated.

👍

Tip

To avoid having to update the token frequently, set the expiration date to be more than one year.

  1. After generating your account-level SAS token, post it into the third dropdown of the Azure integrations window on Encord.

Method 2: Using a service principal

Using a service principal to authenticate you require you to:

  1. Add the cord-integrator app to your Azure tenant.
  2. Find your Azure tenant ID.

Adding the cord-integrator app to Azure tenant

There are three different ways to add the cord-integrator app to Azure tenant:

  1. Using a browser.

  2. Using Azure powershell.

  3. By granting storage account and container permissions to cord-integrator.

ℹ️

Note

You need to have admin privileges for your Azure account to authenticate via a service principal.

Adding the cord-integrator app via a browser

You can add the cord-integrator application by following this link. If logged in to the Encord platform, you will be redirected to the 'Azure integration' screen after the application was successfully added.
Adding the 'cord-integrator' application to Azure tenant

Adding the cord-integrator app via Azure Powershell

New-AzADServicePrincipal -ApplicationId ab859d51-5577-4d6d-9b87-544df597f38a

Granting storage account and container permissions to cord-integrator

The cord-integrator must be granted two types of permissions in order to function:

  • The Storage Blob Data Contributor role at the container level
    Adding the 'Storage Blob Data Contributor' role to the cord-integrator service principal
  • The Storage Blob Delegator role at the storage account level
    Adding the 'Storage Blob Delegator' role to the cord-integrator service principal at the storage account level

Find your Azure tenant ID

You can find the Azure Tenant ID in the Active Directory overview of your Azure project.

After you have added the cord-integrator app, granted it storage account and container permissions, as well as located your Azure tenant ID - paste the tenant ID into the third step of the Azure integrations window, as shown below.

3. Creating a CORS configuration in Azure

A CORS configuration needs to be applied to the Azure storage account you wish to integrate with Encord. This will enable your users' browsers to request resources from the specified service account.

Navigate to the Resource Sharing (CORS) section under Settings of your storage account.

Input the following values in the Blob service tab of Resource Sharing (CORS) page:

Allowed originsAllowed methodsAllowed headersExposed headersMax age
https://app.encord.comGET, POST, OPTIONS, PUT**3600

In the example above, preflight requests are valid for 1 hour. Use the 'Max Age' variable to adjust the number of seconds the browser is allowed to make requests before it must repeat the preflight request.

Click Save to save the CORS configuration.

4. Testing your integration

To test that the integration works, click the Run a URL test button on the integration.

Paste the URL of any object in your Azure storage and click Check Encord can access this URL. If the test is successful a green tick appears next to Encord infrastructure and This machine.

Updating expired account-level SAS tokens

ℹ️

Note

This section is only applicable if you used an account-level shared access token to authenticate.

Shared access tokens expire and have to be updated in order to continue providing Encord with access to your Azure storage.

To update the account-level SAS token:

  1. Click the icon on your Azure integration.

  2. Click Update SAS token. This will be where you paste your new SAS token.

  1. In Azure, navigate to Storage Accounts under Azure services and select the storage account you wish to update the token for.
  1. Click on Shared access signature in the Security + networking section.
  1. You must check the Container and Object checkboxes under the Allowed resource types heading. Ensure you add the necessary permissions:
  • Read (required)
  • List (required)
  • Write (recommended)
  • Add (recommended)
  • Create (recommended)

ℹ️

Note

recommended permissions are necessary to use some of our more advanced features such as re-encoding data, and image sequences.

  1. Click Generate SAS and connection string to generate a new account-level SAS token.

🚧

Caution

Your SAS token will have a start and end date that can be adjusted, and it will only be valid for the specified time period. Expired tokens will have to be updated.

👍

Tip

To avoid having to update the token frequently, set the expiration date to be more than one year.

  1. Paste the new SAS token into the pop up opened in step 2.

Creating a Dataset with Azure data

Please navigate to the private cloud integration section for guidance on how to create a Dataset with data stored in Azure.

Updated 20 days ago