Azure Storage Connection Manager

APPLIES TO: yesSQL Server, including on Linux yesAzure SQL Database yesAzure SQL Data Warehouse noParallel Data Warehouse

The Azure Storage connection manager enables an SSIS package to connect to an Azure Storage account.

The Azure Storage connection manager is a component of the SQL Server Integration Services (SSIS) Feature Pack for Azure.

In the Add SSIS Connection Manager dialog box, select AzureStorage, and click Add.

Following properties are available.

  • Service: Specifies the storage service to connect to.
  • Account name: Specifies the storage account name.
  • Authentication: Specifies the authentication method to use. AccessKey and ServicePrincipal authentication are supported.
    • AccessKey: For this authentication method, specify the Account key.
    • ServicePrincipal: For this authentication method, specify the Application ID, Application key, Tenant ID of the service principal. For Test Connection to work, the service principal should be assigned at least Storage Blob Data Reader role to the storage account. Refer to this page for details.
  • Environment: Specifies the cloud environment hosting the storage account.

Managed Identities for Azure Resources Authentication

When running SSIS packages on Azure-SSIS integration runtime in Azure Data Factory, you can use the managed identity that is associated with your data factory for Azure storage authentication. The designated factory can access and copy data from or to your storage account by using this identity.

Refer to Authenticate access to Azure Storage using Azure Active Directory for Azure Storage authentication in general. To use managed identity authentication for Azure storage, follow these steps to configure your storage account:

  1. Find the data factory managed identity from the Azure portal. Go to your data factory's Properties. Copy the Managed Identity Application ID (NOT Managed Identity Object ID).

  2. Grant the managed identity proper permission in your storage account. Refer to Manage access rights to Azure Storage data with RBAC with more details on the roles.

    • As source, in Access control (IAM), grant at least Storage Blob Data Reader role.
    • As destination, in Access control (IAM), grant at least Storage Blob Data Contributor role.

Then configure managed identity authentication for the Azure storage connection manager. There are two options to do this.

  1. Configure at design time. In SSIS Designer, double-click the Azure storage connection manager to open Azure Storage Connection Manager Editor and check Use managed identity to authenticate on Azure.

    Note

    Currently this option DOES NOT take effect (indicating that managed identity authentication does not work) when you run SSIS package in SSIS Designer or Microsoft SQL Server.

  2. Configure at run time. When you execute the package via SQL Server Management Studio (SSMS) or Azure Data Factory Execute SSIS Package activity, find the Azure storage connection manager and update its property ConnectUsingManagedIdentity to True.

    Note

    In Azure-SSIS integration runtime, all other authentication methods (e.g., access key, service principal) preconfigured on the Azure storage connection manager will be overridden when managed identity authentication is used for storage operations.

Note

To configure managed identity authentication on existing packages, the preferred way is to rebuild your SSIS project with the latest SSIS Designer at least once and redeploy that SSIS project to your Azure-SSIS integration runtime so that the new connection manager property ConnectUsingManagedIdentity will automatically be added to all Azure storage connection managers in your SSIS project. The alternative way is to directly use property override with property path \Package.Connections[{the name of your connection manager}].Properties[ConnectUsingManagedIdentity] at run time.

See Also

Integration Services (SSIS) Connections