Azure Blob Storage as a Target connection
Overview
Once you have a valid SAS token, the next step is to configure the Azure Blob Storage connection in Data Integration.
This setup allows Data Integration to authenticate securely and write data to your Azure container as part of your data pipeline.
Data Integration must establish a target connection to Azure Blob Storage to transfer data during process execution.
Using a Shared Access Signature (SAS) token ensures secure, scoped, and time-bound access — allowing Data Integration to write data without exposing full account keys.
Configuring connection in Data Integration
- Navigate to the Target tab in your Source to Target River. A list of supported Targets appear.
- Select Azure Blob Storage.
- Enter the Account Name associated with your Azure Storage account.
- (Optional) Enter the Account Key if using key-based authentication.
- (Optional) Enter the SAS Token (starting with
?sv=) if using SAS-based authentication. - Click Test Connection to verify access to your Azure Blob Storage.
- Once the test succeeds, click Save to store the connection.
note
You can connect using either an Account Key or an SAS Token, or combine both for enhanced security.
To create an SAS Token, refer to Azure Blob Storage as a Target).
Verify and test
- Run a small process that writes a test file. For example,
healthcheck.txt. - Verify that the file appears in the container and path you configured. For example, quick self-test via HTTP
# List blobs (requires 'l' permission)
curl "https://<acct>.blob.core.windows.net/<container>?restype=container&comp=list&<SAS>"
# Upload a small file as Block Blob (requires 'c','w' permissions)
printf 'ok' > healthcheck.txt
curl -X PUT \
-H "x-ms-blob-type: BlockBlob" \
--data-binary @healthcheck.txt \
"https://<acct>.blob.core.windows.net/<container>/test/healthcheck.txt?<SAS>"
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
| AuthorizationFailure during upload | Missing o in Account SAS srt (needs sco) | Regenerate Account SAS with srt=sco |
| 403 on upload | Missing c or w permissions | Regenerate SAS with c,w (and l if listing) |
| Cannot list blobs / validation fails | Missing l or incorrect scope | Add l and ensure the SAS scope covers the target container |
| Token rejected / Not yet valid | st set in the future (UTC) | Set st ~15 minutes in the past |
| Works in Portal but not from runtime | sip (IP) restriction mismatch | Remove sip or align runtime egress IPs |
| Files land in unexpected path | Incorrect folder/path in operation | Review and correct the blob path in the operation |
Security guidance
- Keep SAS tokens short-lived and rotate them regularly.
- Store SAS tokens securely in a secret manager; avoid plaintext storage.
- Enforce HTTPS-only access and apply IP restrictions where feasible.
- Prefer the narrowest scope required — for single-container targets, use a Container SAS.
