Skip to content

azure_blob_storage.mdx

Latest commit

 

History

History
63 lines (41 loc) · 3.38 KB

azure_blob_storage.mdx

File metadata and controls

63 lines (41 loc) · 3.38 KB
description Learn about how to connect your Azure Blob Storage containers to imgproxy

Serving files from Azure Blob Storage

imgproxy can process images from Azure Blob Storage containers. To use this feature, do the following:

  1. Set IMGPROXY_USE_ABS environment variable to true
  2. Set IMGPROXY_ABS_NAME to your Azure account name
  3. Set up the necessary credentials
  4. (optional) Specify the Azure Blob Storage endpoint with IMGPROXY_ABS_ENDPOINT
  5. Use abs://%bucket_name/%file_key as the source image URL

:::tip If filenames in your Azure Blob Storage may contain ?, you may want to set IMGPROXY_SOURCE_URL_QUERY_SEPARATOR to another string that is not used in filenames or set it to blank to disable query string extraction. :::

Set up credentials

Leverage Azure Managed Identity or Service Principal

Microsoft encourages the use of a Managed Identity or Service Principal when accessing resources on an Azure Storage Account. Both of these authentication pathways are supported out of the box.

Managed Identity

There is no additional configuration required so long as the resource that imgproxy is running on has a Managed Identity assigned to it.

Service Principal

Please, refer to the following documentation on the creation of a service principal before proceeding.

Once that step is completed, the following environment variables must be configured depending on which option was chosen.

For secret authentication:

  • AZURE_CLIENT_ID: the client ID for your application registration
  • AZURE_TENANT_ID: the tenant ID for your application registration
  • AZURE_CLIENT_SECRET: the client secret for your application registration

For certificate authentication:

  • AZURE_CLIENT_ID: the client ID for your application registration
  • AZURE_TENANT_ID: the tenant ID for your application registration
  • AZURE_CLIENT_CERTIFICATE_PATH: the path to a PFX or PEM-encoded certificate including private key
  • AZURE_CLIENT_CERTIFICATE_PASSWORD: (optional) the password protecting the certificate file (PFX (PKCS12))
  • AZURE_CLIENT_CERTIFICATE_CHAIN: (optional) send certificate chain in x5c header to support subject name / issuer-based authentication

Using Storage Account Key

Alternatively, you can set IMGPROXY_ABS_KEY to your Azure Blob Storage account key. See the Manage storage account access keys guide for more info.

Restricting container access

For security purposes, you can restrict which Azure Blob Storage containers imgproxy is allowed to access:

  • IMGPROXY_ABS_ALLOWED_BUCKETS: a comma-separated list of container names that imgproxy is allowed to access. When set, imgproxy will only process images from these containers. Default: blank (all containers allowed)
  • IMGPROXY_ABS_DENIED_BUCKETS: a comma-separated list of container names that imgproxy is not allowed to access. When set, imgproxy will reject requests for images from these containers. Default: blank

:::tip Use IMGPROXY_ABS_ALLOWED_BUCKETS to create an allowlist of trusted containers, or use IMGPROXY_ABS_DENIED_BUCKETS to block specific containers. If both are set, allowed containers take precedence. :::