Documentation
HomeCommunityQuickStartsStatus
Start typing to search…

Configure an external storage integration with Azure Blob Storage (Beta)

🚩

This documentation describes one or more public beta features that are in development. Beta features are subject to quick, iterative changes; therefore the current user experience in the Sigma service can differ from the information provided in this page.

This page should not be considered official published documentation until Sigma removes this notice and the beta flag on the corresponding feature(s) in the Sigma service. For the full beta feature disclaimer, see Beta features.

Configure an external storage integration using a customer-owned Azure Blob (blob) container to give your organization full control over file location, access, retention, and encryption. Some features, like file upload columns in input tables and exports to cloud storage require an external storage integration. Other features, like CSV upload, have default storage flows that use Sigma-owned storage, but you can enable the use of a customer-owned container instead.

This document explains how to configure a storage integration with a customer-owned blob container. For information about the general and feature-specific advantages of an external storage integration, see External storage integration overview.

📘

Most of the storage integration configuration requires you to complete steps within the Azure portal. Because these workflows are maintained and updated by a third party, the steps detailed in this document may reference different UI and terminology than Azure.

Requirements

The ability to configure a storage integration that uses a customer-owned blob container requires the following:

Configure a storage integration with Azure Blob Storage

To configure a storage integration that uses your own blob container, complete the following procedures:

Record your Microsoft Entra tenant ID in Azure

In your Azure portal, find and record the ID for your Microsoft Entra tenant. This ID is required to add an Azure Blob Storage integration in Sigma. For detailed instructions, see Find your Microsoft Entra tenant in the Azure documentation.

Create a storage account and container in Azure

In your Azure portal, create a storage account and target storage container for file uploads. For detailed instructions, see Create an Azure storage account and Create a container in the Azure documentation.

💡

Because cross-origin resource sharing (CORS) is required, creating a new, dedicated storage account is recommended to enforce clear security boundaries that prevent unintended cross-origin access to resources.

Create a custom role in Azure

In your Azure portal, create a custom role to grant Sigma permission to the target storage container. For detailed instructions, see Create or update Azure custom roles using the Azure portal in the Azure documentation.

When referencing the Azure documentation, use the following guidance:

  • In Step 2: Choose how to start, follow the Start from scratch path, and create the custom role in the resource group that contains your storage account.

  • In Step 3: Basics, enter a name and description for the role, then proceed without additional custom configuration until you reach Step 6: JSON.

  • In Step 6: JSON replace the permissions block with the following JSON:

    "permissions": [
 {
     "actions": [],
     "notActions": [],
     "dataActions": [
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
     ],
     "notDataActions": []
 }
]

Add an Azure Blob Storage integration in Sigma

You can now add a storage integration in Sigma using a blob container.

  1. In Sigma, go to Administration > Account > General Settings.

  2. In the Storage Integration > External storage integration section, click Add.

  3. In the Add storage integration modal, provide the required Azure credentials.

    1. In the Provider section, select Azure Blob Storage.

    2. In the Storage account name field, enter the name of the dedicated storage account.

    3. In the Azure tenant ID field, enter your Microsoft Entra tenant ID.

    4. In the Bucket name field, enter the name of the target storage container.

    5. In the Path prefix field, enter any folder path prefix.

  4. Click Save, then record the Azure broker application ID displayed in the integration details. You will need this value in an upcoming configuration step.

Create an enterprise application in Azure

Use Azure CLI to create an enterprise application that registers Sigma in your Azure environment. For detailed instructions, see Create an enterprise application from a multitenant application in the Azure documentation. Apply the Azure broker application ID you recorded when you added the storage integration in Sigma.

When you successfully create the enterprise application, Sigma auto-generates the application name using the format sigma-broker-{hash}. This name is unique to your Sigma organization and will be required in an upcoming configuration step.

Assign roles to the enterprise application in Azure

In your Azure portal, assign the following roles to the enterprise application to allow Sigma to operate on the target storage container.

  • Storage Blob Delegator role: Enables Sigma to generate short-lived user delegation SAS tokens.
  • Custom role created in the Create a custom role in Azure section: Allows Sigma to read and write to the target storage container.

For detailed instructions, see Assign Azure roles using the Azure portal.

When assigning the Storage Blob Delegator role, use the following guidance:

When assigning the custom role, use the following guidance:

Enable cross-origin resource sharing (CORS) in Azure

In Azure, enable CORS for the storage account. For more information about CORS, see Cross-Origin Resource Sharing (CORS) support for Azure Storage in the Azure documentation. For portal navigation guidance, see Azure's Create a CORS rule quickstart.

📘

UI terminology can differ in your Azure portal and may display as Settings > Resource sharing (CORS) or another variation instead of Settings > CORS, as shown in the Azure documentation.

When configuring CORS for Blob service, set the following values:

  • Allowed origins: https://app.sigmacomputing.com
  • Allowed methods: PUT, POST, GET
  • Allowed headers: *
  • Exposed headers: Access-Control-Allow-Origin
  • Max age: 3600

Create an IP allowlist in Azure

(Optional) In your Azure portal, create an IP network rule to limit access to your storage account based on IP address. Only traffic from approved IP address ranges will be allowed. For detailed instructions, see Create an IP network rule for Azure Storage in the Azure documentation.

Before you create the network rule, you must obtain the relevant IP address ranges.

  • Sigma cluster IP addresses: See Add Sigma IPs to the allowlist.
  • User IP addresses: Office IP addresses, VPN IP addresses, and any other IP addresses that your Sigma organization users will use to access Sigma.
  • Data platform IP addresses: IP addresses used by Snowflake or Databricks instances connected to your Sigma organization. This is only required when using external stages for CSV uploads because the data platform must access the storage container directly.

Updated about 2 hours ago

Resources
Sigma home
Blog
Learn
Sigma Community
© Sigma Computing