operator-notes: add section for azure blob access

fixes:coreos#2011
prestist · Feb 5, 2025 · e312ee8 · e312ee8
1 parent 6754f74
commit e312ee8
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/docs/operator-notes.md b/docs/operator-notes.md
@@ -30,6 +30,12 @@ Ignition has built-in support for fetching resources from the Amazon Simple Stor
 
 Append `?versionId=<version>` to any of the URL formats to fetch the specified object version.
 
+## Azure Blob access
+
+Ignition supports fetching resources from Azure Blob Storage. The URL format for Azure Blob Storage is `https://<storageAccount>.blob.core.windows.net/<container>/<fileName>`. Ignition will recognize this format and attempt to authenticate using the [default Azure credential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential) to fetch the resource via the [Azure Blob Storage API](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#section-readme).
+
+If the Azure storage blob is public, the resource can be fetched anonymously by falling back on HTTPFetch. For private storage blobs, the resource can only be fetched if valid credentials are available, if unable to authenticate the file will not be fetched, resulting in a 404 error. To configure the credentials, ensure the environment has credentials with the necessary permissions to access the storage account and storage blob. One approach is to configure a managed identity with contributor access to the storage account and assign it to the VM during creation.
+
 ## HTTP headers
 
 When fetching data from an HTTP URL for config references, CA references and file contents, additional headers can be attached to the request using the `httpHeaders` attribute. This allows downloading data from servers that require authentication or some additional parameters from your request.