Azure Blob Storage Setup

This guide explains how to configure Azure Blob Storage as your storage provider for BFFless.

Prerequisites

Azure account with an active subscription
Permissions to create storage accounts (or an existing one)

Step 1: Create a Storage Account

Go to Azure Portal
Search for Storage accounts and click Create
Configure the basics:
- Subscription: Select your subscription
- Resource group: Create new or use existing
- Storage account name: Unique name (e.g., bfflessstorage123)
- Region: Choose closest to your users
- Performance: Standard (recommended) or Premium
- Redundancy: Choose based on your needs (see below)
Click Review + create → Create

Redundancy Options

Option	Description	Use Case
LRS	3 copies in one datacenter	Development, non-critical data
ZRS	3 copies across availability zones	Production, high availability
GRS	6 copies across two regions	Disaster recovery
GZRS	ZRS + GRS combined	Mission-critical applications

Step 2: Create a Container

Open your storage account
Go to Data storage → Containers
Click + Container
Enter a name (e.g., bffless-assets)
Public access level: Private (BFFless uses SAS URLs)
Click Create

Step 3: Get Authentication Credentials

Option A: Account Key (Simple, for development)

Open your storage account
Go to Security + networking → Access keys
Click Show next to key1
Copy the Storage account name and Key

warning

Account keys provide full access to your storage account. Use Managed Identity or SAS tokens in production.

Option B: Connection String

Open your storage account
Go to Security + networking → Access keys
Copy the Connection string for key1

Option C: Managed Identity (Recommended for Azure deployments)

Use this when BFFless runs on Azure (VMs, App Service, AKS, Container Apps).

Enable system-assigned managed identity on your Azure resource:
- App Service: Settings → Identity → System assigned → On
- VM: Settings → Identity → System assigned → On
- AKS: Use workload identity or pod identity

Grant the identity access to storage:

az role assignment create \
  --assignee <managed-identity-object-id> \
  --role "Storage Blob Data Contributor" \
  --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<account>

Step 4: Configure in BFFless

Via Setup Wizard

Navigate to the BFFless setup wizard
Select Azure Blob Storage as storage provider
Enter your configuration:
- Account Name: Your storage account name
- Container Name: Your container name
- Authentication Method: Choose one:
  - Account Key: Paste the storage account key
  - Connection String: Paste the full connection string
  - Managed Identity: For Azure-hosted BFFless
Click Test Connection & Save

Via Environment Variables

# Storage provider type
STORAGE_TYPE=azure

# Azure Blob Storage Configuration
AZURE_STORAGE_ACCOUNT=bfflessstorage123
AZURE_STORAGE_CONTAINER=bffless-assets

# Option 1: Account Key
AZURE_STORAGE_KEY=your-storage-account-key

# Option 2: Connection String
AZURE_STORAGE_CONNECTION_STRING="DefaultEndpointsProtocol=https;AccountName=...;AccountKey=...;EndpointSuffix=core.windows.net"

# Option 3: Managed Identity (no additional config needed)
# Just don't set AZURE_STORAGE_KEY or AZURE_STORAGE_CONNECTION_STRING

Access Tiers

Azure Blob Storage offers different access tiers:

Tier	Use Case	Storage Cost	Access Cost
Hot	Frequently accessed	Higher	Lower
Cool	Infrequent access (30+ days)	Lower	Higher
Cold	Rare access (90+ days)	Even lower	Even higher
Archive	Long-term backup	Lowest	Highest + rehydration time

Troubleshooting

"AuthorizationFailure" Error

Verify the account key or connection string is correct
Check that the storage account exists and is accessible
For Managed Identity, verify the role assignment is correct
Ensure the container exists

"ContainerNotFound" Error

Verify the container name is correct
Check for typos (container names are case-sensitive)
Ensure the container exists in the storage account

"AuthenticationFailed" Error

Account key may be incorrect or rotated
Connection string may be malformed
Managed Identity may not have the required role
Check if storage account firewall is blocking access

Slow Performance

Enable BFFless caching to reduce blob storage requests
Use a region closer to your users
Consider Azure CDN for edge caching

Security Best Practices

Never commit credentials to version control
Use Managed Identity when running on Azure
Rotate storage keys regularly (every 90 days)
Enable soft delete for accidental deletion protection
Use Private endpoints for network isolation
Enable Azure Defender for Storage for threat detection
Enable storage analytics logging for audit trails
Use customer-managed keys (CMK) for encryption
Disable public blob access at the storage account level

Prerequisites​

Step 1: Create a Storage Account​

Redundancy Options​

Step 2: Create a Container​

Step 3: Get Authentication Credentials​

Option A: Account Key (Simple, for development)​

Option B: Connection String​

Option C: Managed Identity (Recommended for Azure deployments)​

Step 4: Configure in BFFless​

Via Setup Wizard​

Via Environment Variables​

Access Tiers​

Troubleshooting​

"AuthorizationFailure" Error​

"ContainerNotFound" Error​

"AuthenticationFailed" Error​

Slow Performance​

Security Best Practices​

Related Guides​