Set up a connection to an Azure Storage account using a managed identity
This article describes how to set up an Azure Cognitive Search indexer connection to an Azure Storage account using a managed identity instead of providing credentials in the connection string.
You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure AD logins and require Azure role assignments to access data in Azure Storage. For detailed steps, see Assign Azure roles using the Azure portal.
This article assumes familiarity with indexer concepts and configuration. If you're new to indexers, start with these links:
- Indexer overview
- Azure Blob indexer
- Azure Data Lake Storage (ADLS) Gen2 indexer
- Azure Table indexer
- Azure Files indexer (preview)
For a code example in C#, see Index Data Lake Gen2 using Azure AD on GitHub.
Note
If storage is network-protected and in the same region as your search service, you must use a system-assigned managed identity and either one of the following network options: connect as a trusted service, or connect using the resource instance rule.
Prerequisites
Create a managed identity for your search service.
-
Storage Blob Data Reader for data read access in Blob Storage and ADLS Gen2.
Reader and Data for data read access in Table Storage and File Storage.
The easiest way to test the connection is using the Import data wizard. The wizard supports data source connections for both system and user managed identities.
Create the data source
Create the data source and provide either a system-assigned managed identity or a user-assigned managed identity (preview).
System-assigned managed identity
The REST API, Azure portal, and the .NET SDK support using a system-assigned managed identity.
When you're connecting with a system-assigned managed identity, the only change to the data source definition is the format of the "credentials" property. You'll provide a ResourceId that has no account key or password. The ResourceId must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name.
Here is an example of how to create a data source to index data from a storage account using the Create Data Source REST API and a managed identity connection string. The managed identity connection string format is the same for the REST API, .NET SDK, and the Azure portal.
POST https://[service name].search.windows.net/datasources?api-version=2020-06-30
Content-Type: application/json
api-key: [admin key]
{
"name" : "blob-datasource",
"type" : "azureblob",
"credentials" : {
"connectionString" : "ResourceId=/subscriptions/[subscription ID]/resourceGroups/[resource group name]/providers/Microsoft.Storage/storageAccounts/[storage account name]/;"
},
"container" : {
"name" : "my-container", "query" : "<optional-virtual-directory-name>"
}
}
User-assigned managed identity (preview)
The 2021-04-30-preview REST API supports connections based on a user-assigned managed identity. When you're connecting with a user-assigned managed identity, there are two changes to the data source definition:
First, the format of the "credentials" property is a ResourceId that has no account key or password. The ResourceId must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name. This is the same format as the system-assigned managed identity.
Second, you'll add an "identity" property that contains the collection of user-assigned managed identities. Only one user-assigned managed identity should be provided when creating the data source. Set it to type "userAssignedIdentities".
Here is an example of how to create an indexer data source object using the preview Create or Update Data Source REST API:
POST https://[service name].search.windows.net/datasources?api-version=2021-04-30-preview
Content-Type: application/json
api-key: [admin key]
{
"name" : "blob-datasource",
"type" : "azureblob",
"credentials" : {
"connectionString" : "ResourceId=/subscriptions/[subscription ID]/resourceGroups/[resource group name]/providers/Microsoft.Storage/storageAccounts/[storage account name]/;"
},
"container" : {
"name" : "my-container", "query" : "<optional-virtual-directory-name>"
},
"identity" : {
"@odata.type": "#Microsoft.Azure.Search.DataUserAssignedIdentity",
"userAssignedIdentity" : "/subscriptions/[subscription ID]/resourcegroups/[resource group name]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[managed identity name]"
}
}
Create the index
The index specifies the fields in a document, attributes, and other constructs that shape the search experience.
Here's a Create Index REST API call with a searchable content field to store the text extracted from blobs:
POST https://[service name].search.windows.net/indexes?api-version=2020-06-30
Content-Type: application/json
api-key: [admin key]
{
"name" : "my-target-index",
"fields": [
{ "name": "id", "type": "Edm.String", "key": true, "searchable": false },
{ "name": "content", "type": "Edm.String", "searchable": true, "filterable": false, "sortable": false, "facetable": false }
]
}
Create the indexer
An indexer connects a data source with a target search index, and provides a schedule to automate the data refresh. Once the index and data source have been created, you're ready to create and run the indexer.
Here's a Create Indexer REST API call with a blob indexer definition. The indexer will run when you submit the request.
POST https://[service name].search.windows.net/indexers?api-version=2020-06-30
Content-Type: application/json
api-key: [admin key]
{
"name" : "blob-indexer",
"dataSourceName" : "blob-datasource",
"targetIndexName" : "my-target-index"
}
Accessing network secured data in storage accounts
Azure storage accounts can be further secured using firewalls and virtual networks. If you want to index content from a storage account that is secured using a firewall or virtual network, see Make indexer connections to Azure Storage as a trusted service.
See also
Povratne informacije
Pošalјite i prikažite povratne informacije za