Create and manage blobs in Azure Blob Storage by using Azure Logic Apps
This article shows how you can access and manage files stored as blobs in your Azure storage account from inside a logic app with the Azure Blob Storage connector. That way, you can create logic apps that automate tasks and workflows for managing your files. For example, you can build logic apps that create, get, update, and delete files in your storage account.
Suppose that you have a tool that gets updated on an Azure website. which acts as the trigger for your logic app. When this event happens, you can have your logic app update some file in your blob storage container, which is an action in your logic app.
Logic apps can't directly access storage accounts that are behind firewalls if they're both in the same region. As a workaround, you can have your logic apps and storage account in different regions. For more information about enabling access from Azure Logic Apps to storage accounts behind firewalls, see the Access storage accounts behind firewalls section later in this topic.
By default, Azure Blob Storage actions can read or write files that are 50 MB or smaller. To handle files larger than 50 MB but up to 1024 MB, Azure Blob Storage actions support message chunking. The Get blob content action implicitly uses chunking.
Azure Blob Storage triggers don't support chunking. When requesting file content, triggers select only files that are 50 MB or smaller. To get files larger than 50 MB, follow this pattern:
Use an Azure Blob Storage trigger that returns file properties, such as When a blob is added or modified (properties only).
Follow the trigger with the Azure Blob Storage Get blob content action, which reads the complete file and implicitly uses chunking.
An Azure subscription. If you don't have an Azure subscription, sign up for a free Azure account.
The logic app where you need access to your Azure blob storage account. To start your logic app with an Azure Blob Storage trigger, you need a blank logic app.
Add blob storage trigger
In Azure Logic Apps, every logic app must start with a trigger, which fires when a specific event happens or when a specific condition is met. Each time the trigger fires, the Logic Apps engine creates a logic app instance and starts running your app's workflow.
This example shows how you can start a logic app workflow with the When a blob is added or modified (properties only) trigger when a blob's properties gets added or updated in your storage container.
In the Azure portal or Visual Studio, create a blank logic app, which opens Logic App Designer. This example uses the Azure portal.
In the search box, enter "azure blob" as your filter. From the triggers list, select the trigger you want.
This example uses this trigger: When a blob is added or modified (properties only)
If you're prompted for connection details, create your blob storage connection now. Or, if your connection already exists, provide the necessary information for the trigger.
For this example, select the container and folder you want to monitor.
In the Container box, select the folder icon.
In the folder list, choose the right-angle bracket ( > ), and then browse until you find and select the folder you want.
Select the interval and frequency for how often you want the trigger to check the folder for changes.
When you're done, on the designer toolbar, choose Save.
Now continue adding one or more actions to your logic app for the tasks you want to perform with the trigger results.
Add blob storage action
In the Azure portal or Visual Studio, open your logic app in Logic App Designer. This example uses the Azure portal.
In the Logic App Designer, under the trigger or action, choose New step.
To add an action between existing steps, move your mouse over the connecting arrow. Choose the plus sign (+) that appears, and select Add an action.
In the search box, enter "azure blob" as your filter. From the actions list, select the action you want.
This example uses this action: Get blob content
If you're prompted for connection details, create your Azure Blob Storage connection now. Or, if your connection already exists, provide the necessary information for the action.
For this example, select the file you want.
From the Blob box, select the folder icon.
Find and select the file you want based on the blob's ID number. You can find this ID number in the blob's metadata that is returned by the previously described blob storage trigger.
When you're done, on the designer toolbar, choose Save. To test your logic app, make sure that the selected folder contains a blob.
This example only gets the contents for a blob. To view the contents, add another action that creates a file with the blob by using another connector. For example, add a OneDrive action that creates a file based on the blob contents.
Connect to storage account
When you add a trigger or action that connects to a service or system for the first time, the Logic App Designer prompts you to create a connection by providing the necessary information, which varies based on the connection, for example:
- A name to use for the new connection
- The server or system name
- Your user or account credentials
- The authentication type to use
- The Azure subscription and name for the data gateway that you previously create when connecting to on-premises data sources
When you're prompted to created the connection, provide this information:
Property Required Value Description Connection Name Yes <connection-name> The name to create for your connection Storage Account Yes <storage-account> Select your storage account from the list.
When you're ready, select Create
For more technical details about this connector, such as triggers, actions, and limits as described by the connector's Swagger file, see the connector's reference page.
Access storage accounts behind firewalls
You can add network security to an Azure storage account by restricting access with a firewall and firewall rules. However, this setup creates a challenge for Azure and other Microsoft services that need access to the storage account. Local communication in the datacenter abstracts the internal IP addresses, so you can't set up firewall rules with IP restrictions. For more information, see Configure Azure Storage firewalls and virtual networks.
Here are various options for accessing storage accounts behind firewalls from Azure Logic Apps by using either the Azure Blob Storage connector or other solutions:
Azure Storage Blob connector
Problems accessing storage accounts in the same region
Logic apps can't directly access storage accounts behind firewalls when they're both in the same region. As a workaround, put your logic apps in a region that differs from your storage account and give access to the outbound IP addresses for the managed connectors in your region.
This solution doesn't apply to the Azure Table Storage connector and Azure Queue Storage connector. Instead, to access your Table Storage or Queue Storage, use the built-in HTTP trigger and actions.
Access storage accounts through a trusted virtual network
You can put the storage account in an Azure virtual network that you manage, and then add that virtual network to the trusted virtual networks list. To have your logic app access the storage account through a trusted virtual network, you need to deploy that logic app to an integration service environment (ISE), which can connect to resources in a virtual network. You can then add the subnets in that ISE to the trusted list. Azure Storage connectors, such as the Blob Storage connector, can directly access the storage container. This setup is the same experience as using the service endpoints from an ISE.
Access storage accounts as a trusted service with managed identities
To give Microsoft trusted services access to a storage account through a firewall, you can set up an exception on that storage account for those services. This solution permits Azure services that support managed identities for authentication to access storage accounts behind firewalls as trusted services. Specifically, for a logic app in global multi-tenant Azure to access these storage accounts, you first enable managed identity support on the logic app. Then, you use the HTTP action or trigger in your logic app and set their authentication type to use your logic app's managed identity. For this scenario, you can use only the HTTP action or trigger.
To set up the exception and managed identity support, follow these general steps:
On your storage account, under Settings, select Firewalls and virtual networks. Under Allow access from, select the Selected networks option so that the related settings appear.
Under Exceptions, select Allow trusted Microsoft services to access this storage account, and then select Save.
In your logic app's settings, enable support for the managed identity.
In your logic app's workflow, add and set up the HTTP action or trigger to access the storage account or entity.
For outgoing HTTP action or trigger calls to Azure Storage accounts, make sure that the request header includes the
x-ms-versionproperty and the API version for the operation that you want to run on the storage account. For more information, see Authenticate access with managed identity and Versioning for Azure Storage services.
On that action, select the managed identity to use for authentication.
Access storage accounts through Azure API Management
If you use a dedicated tier for API Management, you can front the Storage API by using API Management and permitting the latter's IP addresses through the firewall. Basically, add the Azure virtual network that's used by API Management to the storage account's firewall setting. You can then use either the API Management action or the HTTP action to call the Azure Storage APIs. However, if you choose this option, you have to handle the authentication process yourself. For more info, see Simple enterprise integration architecture.
- Learn about other Logic Apps connectors