Create and manage blobs in Azure Blob Storage by using Azure Logic Apps
From your workflow in Azure Logic Apps, you can access and manage files stored as blobs in your Azure storage account by using the Azure Blob Storage connector. This connector provides triggers and actions that your workflow can use for blob operations. You can then automate tasks to manage files in your storage account. For example, connector actions include checking, deleting, reading, and uploading blobs. The available trigger fires when a blob is added or modified.
You can connect to Blob Storage from both Logic App (Consumption) and Logic App (Standard) resource types. You can use the connector with logic app workflows in multi-tenant Azure Logic Apps, single-tenant Azure Logic Apps, and the integration service environment (ISE). With Logic App (Standard), you can use either the built-in Azure Blob operations or the Azure Blob Storage managed connector operations.
Prerequisites
An Azure account and subscription. If you don't have an Azure subscription, sign up for a free Azure account.
A logic app workflow from which you want to access your Azure Storage account. If you want to start your workflow with a Blob trigger, you need a blank logic app workflow.
Limits
For logic app workflows running in an integration service environment (ISE), this connector's ISE-labeled version uses the ISE message limits instead.
By default, Blob actions can read or write files that are 50 MB or smaller. To handle files larger than 50 MB but up to 1024 MB, Blob actions support message chunking. The Get blob content action implicitly uses chunking.
Blob triggers don't support chunking. When a trigger requests file content, the trigger selects only files that are 50 MB or smaller. To get files larger than 50 MB, follow this pattern:
Use a Blob trigger that returns file properties, such as When a blob is added or modified (properties only).
Follow the trigger with the Blob action named Get blob content, which reads the complete file and implicitly uses chunking.
Connector reference
For more technical details about this connector, such as triggers, actions, and limits, review the connector's reference page.
Add a Blob trigger
In Azure Logic Apps, every workflow must start with a trigger, which fires when a specific event happens or when a specific condition is met.
Only one Blob trigger exists and has either of the following names, based on whether you're working with a Consumption or Standard logic app workflow:
| Logic app type | Trigger name | Description |
|---|---|---|
| Consumption | Managed connector only: When a blob is added or modified (properties only) | The trigger fires when a blob's properties are added or updated in your storage container's root folder. |
| Standard | - Built-in: When a blob is Added or Modified in Azure Storage - Managed connector: When a blob is added or modified (properties only) |
- Built-in: The trigger fires when a blob is added or updated in your storage container. The trigger also fires for any nested folders in your storage container, not just the root folder. - Managed connector: The trigger fires when a blob's properties are added or updated in your storage container's root folder. |
When the trigger fires each time, Azure Logic Apps creates a logic app instance and starts running the workflow.
To add a Blob trigger to a logic app workflow in multi-tenant Azure Logic Apps, follow these steps:
In the Azure portal, open your logic app workflow in the designer.
Under the designer search box, make sure that All is selected. In the search box, enter Azure blob. From the Triggers list, select the trigger named When a blob is added or modified (properties only).
If you're prompted for connection details, create a connection to your Azure Blob Storage account.
Provide the necessary information for the trigger.
For the Container property value, select the folder icon to browse for your blob storage container. Or, enter the path manually using the syntax /<container-name>, for example:
Configure other trigger settings as needed.
Add one or more actions to your workflow.
On the designer toolbar, select Save to save your changes.
Add a Blob action
In Azure Logic Apps, an action is a step in your workflow that follows a trigger or another action.
To add a Blob action to a logic app workflow in multi-tenant Azure Logic Apps, follow these steps:
In the Azure portal, open your workflow in the designer.
If your workflow is blank, add any trigger that you want.
This example starts with the Recurrence trigger.
Under the trigger or action where you want to add the Blob action, select New step or Add an action, if between steps. This example uses the built-in Azure Blob action.
Under the designer search box, make sure that All is selected. In the search box, enter Azure blob. Select the Blob action that you want to use.
This example uses the action named Get blob content.
If you're prompted for connection details, create a connection to your Azure Storage account.
Provide the necessary information for the action.
For example, in the Get blob content action, provide your storage account name. For the Blob property value, select the folder icon to browse for your storage container or folder. Or, enter the path manually.
Task Blob path syntax Get the content from a specific blob in the root folder. /<container-name>/<blob-name> Get the content from a specific blob in a subfolder. /<container-name>/<subfolder>/<blob-name> The following example shows the action setup that gets the content from a blob in the root folder:
The following example shows the action setup that gets the content from a blob in the subfolder:
Set up other action settings as needed.
Connect to Azure Storage account
When you add a trigger or action that connects to a service or system, and you don't have an existing or active connection, Azure Logic Apps prompts you to provide the connection information, which varies based on the connection type, for example:
- Your account credentials
- A name to use for the connection
- The name for the server or system
- The authentication type to use
- A connection string
Before you can configure your Azure Blob Storage trigger or Azure Blob Storage action, you need to connect to your Azure Storage account.
Based on the authentication type that your storage account requires, you have to provide a connection name and select the authentication type at a minimum.
For example, if your storage account requires access key authorization, you have to provide the following information:
| Property | Required | Value | Description |
|---|---|---|---|
| Connection name | Yes | <connection-name> | The name to use for your connection. |
| Authentication type | Yes | - Access Key - Azure AD Integrated - Logic Apps Managed Identity (Preview) |
The authentication type to use for your connection. For more information, review Authentication types for triggers and actions that support authentication - Secure access and data. |
| Azure Storage Account name | Yes, but only for access key authentication |
<storage-account-name> | The name for the Azure storage account where your blob container exists. Note: To find the storage account name, open your storage account resource in the Azure portal. In the resource menu, under Security + networking, select Access keys. Under Storage account name, copy and save the name. |
| Azure Storage Account Access Key | Yes, but only for access key authentication |
<storage-account-access-key> | The access key for your Azure storage account. Note: To find the access key, open your storage account resource in the Azure portal. In the resource menu, under Security + networking, select Access keys > Show keys. Copy and save one of the key values. |
The following example shows how a connection using access key authentication might appear:
Note
After you create your connection, if you have a different existing Azure Blob storage connection that you want to use instead, select Change connection in the trigger or action details editor.
If you have problems connecting to your storage account, review how to access storage accounts behind firewalls.
Access storage accounts behind firewalls
You can add network security to an Azure storage account by restricting access with a firewall and firewall rules. However, this setup creates a challenge for Azure and other Microsoft services that need access to the storage account. Local communication in the data center abstracts the internal IP addresses, so just permitting traffic through IP addresses might not be enough to successfully allow communication across the firewall. Based on which Azure Blob Storage connector you use, the following options are available:
To access storage accounts behind firewalls using the Azure Blob Storage managed connector in Consumption, Standard, and ISE-based logic apps, review the following documentation:
To access storage accounts behind firewalls using the ISE-versioned Azure Blob Storage connector that's only available in an ISE-based logic app, review Access storage accounts through trusted virtual network.
To access storage accounts behind firewalls using the built-in Azure Blob Storage connector that's only available in Standard logic apps, review Access storage accounts through VNet integration.
Access storage accounts in other regions
If you don't use managed identity authentication, logic app workflows can't directly access storage accounts behind firewalls when both the logic app resource and storage account exist in the same region. As a workaround, put your logic app resource in a different region than your storage account. Then, give access to the outbound IP addresses for the managed connectors in your region.
Note
This solution doesn't apply to the Azure Table Storage connector and Azure Queue Storage connector. Instead, to access your Table Storage or Queue Storage, use the built-in HTTP trigger and action.
To add your outbound IP addresses to the storage account firewall, follow these steps:
Note the managed connector outbound IP addresses for your logic app resource's region.
In the Azure portal, find and open your storage account resource.
On the storage account navigation menu, under Security + networking, select Networking.
Under Allow access from, select Selected networks, which shows the relevant settings.
Under Firewall, add the IP addresses or ranges that need access. If you need to access the storage account from your computer, select Add your client IP address.
When you're done, select Save.
Access storage accounts through trusted virtual network
Your logic app and storage account exist in the same region.
You can put your storage account in an Azure virtual network by creating a private endpoint, and then add that virtual network to the trusted virtual networks list. To give your logic app access to the storage account through a trusted virtual network, you need to deploy that logic app to an integration service environment (ISE), which can connect to resources in a virtual network. You can then add the subnets in that ISE to the trusted list. ISE-based storage connectors, such as the ISE-versioned Azure Blob Storage connector, can directly access the storage container. This setup is the same experience as using the service endpoints from an ISE.
Your logic app and storage account exist in different regions.
You don't have to create a private endpoint. You can just permit traffic through the ISE outbound IPs on the storage account.
Access storage accounts through VNet integration
Your logic app and storage account exist in the same region.
You can put the storage account in an Azure virtual network by creating a private endpoint, and then add that virtual network to the trusted virtual networks list. To give your logic app access to the storage account, you have to Set up outbound traffic using VNet integration to enable connecting to resources in a virtual network. You can then add the VNet to the storage account's trusted virtual networks list.
Your logic app and storage account exist in different regions.
You don't have to create a private endpoint. You can just permit traffic through the ISE outbound IPs on the storage account.
Access Blob Storage in same region with system-managed identities
To connect to Azure Blob Storage in any region, you can use managed identities for authentication. You can create an exception that gives Microsoft trusted services, such as a managed identity, access to your storage account through a firewall.
To use managed identities in your logic app to access Blob Storage, follow these steps:
Note
Limitations for this solution:
- To authenticate your storage account connection, you have to set up a system-assigned managed identity. A user-assigned managed identity won't work.
Configure storage account access
To set up the exception and managed identity support, first configure appropriate access to your storage account:
In the Azure portal, find and open your storage account resource.
On the storage account navigation menu, under Security + networking, select Networking.
Under Allow access from, select Selected networks, which shows the relevant settings.
If you need to access the storage account from your computer, under Firewall, select Add your client IP address.
Under Exceptions, select Allow trusted Microsoft services to access this storage account.
When you're done, select Save.
Note
If you receive a 403 Forbidden error when you try to connect to the storage account from your workflow, multiple possible causes exist. Try the following resolution before moving on to additional steps. First, disable the setting Allow trusted Microsoft services to access this storage account and save your changes. Then, re-enable the setting, and save your changes again.
Create role assignment for logic app
Next, enable managed identity support on your logic app resource.
The following steps are the same for Consumption logic apps in multi-tenant environments and Standard logic apps in single-tenant environments.
In the Azure portal, open your logic app resource.
On the logic app resource navigation menu, under Settings, select Identity.
On the System assigned pane, set Status to On, if not already enabled, select Save, and confirm your changes. Under Permissions, select Azure role assignments.
On the Azure role assignments pane, select Add role assignment.
On the Add role assignments pane, set up the new role assignment with the following values:
Property Value Description Scope <resource-scope> The resource set where you want to apply the role assignment. For this example, select Storage. Subscription <Azure-subscription> The Azure subscription for your storage account. Resource <storage-account-name> The name for the storage account that you want to access from your logic app workflow. Role <role-to-assign> The role that your scenario requires for your workflow to work with the resource. This example requires Storage Blob Data Contributor, which allows read, write, and delete access to blob containers and date. For permissions details, move your mouse over the information icon next to a role in the drop-down menu.
When you're done, select Save to finish creating the role assignment.
Enable managed identity support on logic app
Next, complete the following steps:
If you have a blank workflow, add an Azure Blob Storage connector trigger. Otherwise, add an Azure Blob Storage connector action. Make sure that you create a new connection for the trigger or action, rather than use an existing connection.
Make sure that you set the authentication type to use the managed identity.
After you configure the trigger or action, you can save the workflow and test the trigger or action.
Troubleshoot problems with accessing storage accounts
"This request is not authorized to perform this operation."
The following error is a commonly reported problem that happens when your logic app and storage account exist in the same region. However, options are available to resolve this limitation as described in the section, Access storage accounts behind firewalls.
{ "status": 403, "message": "This request is not authorized to perform this operation.\\r\\nclientRequestId: a3da2269-7120-44b4-9fe5-ede7a9b0fbb8", "error": { "message": "This request is not authorized to perform this operation." }, "source": "azureblob-ase.azconn-ase.p.azurewebsites.net" }
Next steps
Feedback
Submit and view feedback for