Skip to main content
The Azure Blob Storage feed connects an index to a blob container in an Azure storage account. Circuit reads blobs from the container you specify and keeps them in sync as they change.

What you can do

  • Index documents in a container: Bring every blob in a container, or a path prefix within it, into a Circuit index.
  • Mix file types: Common document formats (PDF, DOCX, XLSX, PPTX, plain text, Markdown) are supported. Other formats are skipped.
  • Stay in sync automatically: Circuit re-checks the container periodically. New, updated, and deleted blobs are mirrored to the index.

Before you start

  • An Azure storage account that contains the blobs you want to sync.
  • A blob container in that storage account. If you do not have one yet, create it from the Azure portal under the storage account’s Containers blade.
  • Access to retrieve the storage account’s access keys. You need the Reader and Data Access role, the Storage Account Key Operator Service Role, or a higher built-in role such as Contributor or Owner.
  • An index in Circuit where the blobs should live. See Indexes if you need to create one.
Storage account access keys grant full access to all data in the storage account. Treat them like passwords. Use a dedicated storage account or container for Circuit when possible. See For IT and security teams below.

Connect Azure Blob Storage

The integration uses Azure’s shared-key authentication: you provide the storage account name, an access key, and the container name.
1

Find the storage account name

In the Azure portal, open your storage account. The account name appears at the top of the page (for example, acmedocs).
2

Copy an access key

In the storage account, open Security + networking > Access keys. Click Show next to key1 or key2, then copy the Key value. Azure provides two keys so you can rotate without downtime; pick one for Circuit and reserve the other for rotation.
3

Identify the container

Open Data storage > Containers in the storage account and note the name of the container you want to sync (for example, policies).
4

Open the Azure Blob Storage integration in Circuit

In Circuit, open the index that should receive the blobs, choose Integrations > New integration, and select Import from Azure Blob Storage.
5

Enter the connection details

Paste the storage account name, the access key, and the container name into Circuit. Optionally enter a path prefix to limit the import to a folder inside the container (for example, published/). Click Connect.Circuit verifies the credentials by listing the container.
6

Start the import

Click Done. Circuit imports the matching blobs. Depending on volume, the initial import takes a few minutes to a few hours. Subsequent updates run in the background.

What Circuit accesses

What Circuit readsNotes
Blob contents and metadata in the specified containerOnly the container you name. Other containers in the storage account are not enumerated.
Container listingsUsed to detect new, updated, and deleted blobs on each sync.
Circuit does not create, modify, or delete blobs. The integration is read-only.
Although Circuit only reads the configured container, the access key itself grants full access to the entire storage account. Azure does not let you scope a storage account key to a single container. Use a dedicated storage account or a SAS token strategy if container-level isolation matters to you. See For IT and security teams below.

For IT and security teams

Azure Blob Storage authentication in Circuit uses a shared key (storage account access key). The security characteristics of this credential differ from OAuth-based integrations:
  • Account-wide scope: Storage account access keys grant full access to all data in the storage account, including every container, queue, table, and file share. They cannot be scoped to a single container, prefix, or operation.
  • Use a dedicated account or container: To limit the blast radius of the credential Circuit holds, provision a separate storage account (or at minimum a separate container) that holds only the blobs intended for Circuit.
  • Rotate the keys you use: Microsoft recommends rotating access keys on a schedule. Azure provides two keys per storage account so you can rotate without downtime: give Circuit key1, rotate key2, swap Circuit to key2, then rotate key1. The same procedure works for ad-hoc rotation after an incident.
  • Set a rotation reminder: Under Security + networking > Access keys > Set rotation reminder, configure a reminder interval (90 days is a common choice). Azure Policy includes a built-in Storage account keys should not be expired policy that can monitor compliance organization-wide.
  • Revocation: Regenerating the access key Circuit is using revokes Circuit’s access immediately. Update Circuit with the new key (or its pair) to restore the integration.
  • Audit: Enable storage account diagnostic logging to capture read operations against the container. Circuit’s calls appear with Shared Key authentication in the logs.
  • Data residency: Data stays in whichever Azure region the storage account was provisioned in. Circuit does not move blobs across regions.
  • Network: Circuit calls <account>.blob.core.windows.net over TLS 1.2 or higher.
Microsoft’s broader guidance, including Microsoft Entra ID-based alternatives, is at Manage account access keys. For credential handling across Circuit integrations, see Integration security and admin consent.

Disconnect or rotate access

  • From Circuit: open the index’s Integrations tab, select the Azure Blob Storage feed, and click Remove. Circuit deletes the stored access key and stops syncing. Already-imported documents stay in the index until you delete them.
  • Rotate the access key: in the Azure portal, open Security + networking > Access keys on the storage account, click Rotate key next to the key Circuit is not currently using, then update Circuit’s feed settings with the new key. Once Circuit has accepted the new key, rotate the other one too.
  • Revoke immediately: regenerate the access key Circuit is using. Circuit’s sync attempts will fail until you provide a new key.

Troubleshooting

The access key is wrong, has been rotated since you copied it, or belongs to a different storage account. Copy a fresh key from Security + networking > Access keys and try again. Make sure the storage account name in Circuit matches the account the key belongs to.
The container name is misspelled or it lives in a different storage account. Container names are lowercase and exact. Confirm the name in Data storage > Containers.
The container is empty under the configured path prefix, or every blob has an unsupported file type. Add a supported document to the container and wait for the next sync cycle.
Your storage account has Allow storage account key access disabled. Circuit uses shared-key authentication, so this setting must be Enabled for the integration to work. Open Configuration on the storage account in Azure and enable shared key access, or use a separate storage account that permits it.
The access key Circuit was using has been regenerated. Copy the current key from Azure and update Circuit’s feed settings.

Reference

  • Authentication: Shared key (storage account access key)
  • Connection parameters: storage account name, access key, container name, optional path prefix
  • API endpoint: https://<account>.blob.core.windows.net
  • Microsoft’s own docs: Manage account access keys, Authorize with Shared Key