Configure the Azure Storage extension in Azure Database for PostgreSQL

You must follow these steps to be able to use the Azure Storage extension:

1. Identify Azure Storage accounts
2. Choose type of authorization
3. Load the extension's library
4. Allow list the extension
5. Create the extension
6. Initialize encryption key to encrypt sensitive credentials
7. Use the extension to import and export data

Identify the Azure Storage accounts

Identify the Azure Storage accounts with which you want users of the extension to interact, to import data from or export data to.

Choose type of authorization

Decide which type of authorization you want to use for the requests made against the blob service of each of those Azure Storage accounts. azure_storage extension supports authorization with Shared Key, and authorization with Microsoft Entra ID.

Of these two types of authorization, Microsoft Entra ID provides superior security and ease of use over Shared Key, and is the one Microsoft recommends.

To meet the prerequisites needed in each case, follow the instructions in the corresponding sections:

• Authorization with Microsoft Entra ID, or
• Authorization with Shared Key.

To use authorization with Microsoft Entra ID

1. Enable Firewall rules in Azure Database for PostgreSQL on your Azure Database for PostgreSQL flexible server instance.
2. Restart PostgreSQL engine, after enabling a system assigned managed identity on it.
3. Assign role-based access control (RBAC) permissions for access to blob data, on the Azure Storage account, to the System Assigned Managed Identity of your instance of Azure Database for PostgreSQL flexible server.

Enable System Assigned Managed Identity

az rest \
  --method patch \
  --url https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<flexible_server_resource_group>/providers/Microsoft.DBforPostgreSQL/flexibleServers/<flexible_server_name>?api-version=2024-08-01 \
  --body '{"identity":{"type":"SystemAssigned"}}'

To use authorization with Shared Key

1. Confirm that storage account allows access to its key
2. Fetch one of the two access keys of the storage account

Confirm that storage account allows access to its key

Your Azure Storage account must have Allow storage account key access enabled (that is, it can't have its AllowSharedKeyAccess property set to false).

az storage account update \
  --resource-group <storage_account_resource_group> \
  --name <account_name> \
  --allow-shared-key-access true

Fetch one of the two access keys of the storage account

To pass it to the azure_storage.account_add function, fetch either of the two access keys of the Azure Storage account.

az storage account keys list \
  --resource-group <storage_account_resource_group> \
  --account-name <account_name> \
  --query [0].value \
  --output tsv

Load the extension's library

Configure your server so that it loads the azure_storage binary module when it's started.

az postgres flexible-server parameter set \
  --resource-group <resource_group>
  --server-name <server>
  --name shared_preload_libraries \
  --source user-override \
  --value azure_storage,$(az postgres flexible-server parameter show \
                            --resource-group <resource_group> \
                            --server-name <server> \
                            --name shared_preload_libraries \
                            --query value \
                            --output tsv)

az postgres flexible-server restart \
  --resource-group <resource_group> \
  --name <server>

Allow list the extension

You must allow list the extension so that users can run CREATE EXTENSION, DROP EXTENSION, ALTER EXTENSION, COMMENT ON EXTENSION.

az postgres flexible-server parameter set \
  --resource-group <resource_group> \
  --server-name <server> \
  --name azure.extensions \
  --source user-override \
  --value azure_storage,$(az postgres flexible-server parameter show \
                            --resource-group <resource_group>
                            --server-name <server> \
                            --name azure.extensions \
                            --query value \
                            --output tsv)

Create the extension

Use the client of your preference, like PostgreSQL for Visual Studio Code (Preview), psql, or PgAdmin, to connect to the database in which you want to use the Azure Storage extension.

To create all SQL objects (tables, types, functions, views, etc.) with which you can use the azure_storage extension to interact with instances of Azure Storage accounts, execute the following statement:

CREATE EXTENSION azure_storage;

Initialize encryption key to encrypt sensitive credentials

Use the client of your preference, like PostgreSQL for Visual Studio Code (Preview), psql, or PgAdmin, to connect to the database in which you want to use the Azure Storage extension.

To initialize the encryption key with which all sensitive credentials used to authenticate with the different Azure storage accounts, execute the following statement:

ALTER DATABASE <database_with_created_extension> SET azure_storage.credential_encryption_key = '<strong_passphrase>';

If you create the extension in multiple databases, you must initialize the value of azure_storage.credential_encryption_key at the database level, so all sensitive credentials kept in that database are encrypted using the same key.

To set the value of azure_storage.credential_encryption_key, you must be member of the azure_storage_admin role. Then connect to the server, in the context of the database in which you created the extension. And, in that context, execute ALTER DATABASE <database_with_created_extension> SET azure_storage.credential_encryption_key = '<strong passphrase>'; to initialize the encryption key that's used to encrypt all Azure storage account credentials kept by the extension in the catalog of that database. After running this command, you must disconnect and reconnect to the database again, so that the override value takes effect, and you should also invoke the azure_storage.account_encrypt_existing_credentials() function so that the credentials of existing accounts which were never encrypted before with any other key, are encrypted with this key. To do so, execute SELECT azure_storage.account_encrypt_existing_credentials();.

Although possible, we recommend against trying to use other statements like ALTER ROLE or ALTER ROLE IN DATABASE to set the value of azure_storage.credential_encryption_key.

If you change the value of azure_storage.credential_encryption_key, you'll have to manually add again, using azure_storage.account_add, all storage accounts for which you provided a sensitive credential (an access key or a SAS token) which was encrypted with the previous value. Currently the extension doesn't support automatic rollover of encryption key.

Use the extension to import and export data

Now you're ready to add the storage accounts with which you want to interact (using the azure_storage.account_add function). Then you can import data stored in files in Azure Storage accounts, by using the azure_storage.blob_get function or the COPY FROM statement, or you can export data from PostgreSQL into files in an Azure Storage account, by using the azure_storage.blob_put function or the COPY TO statement.

Check out the list of quickstart examples:

• Create an Azure Storage account and populate it with data
• Create a table in which data is loaded
• Add access key of storage account
• Grant access to a user or role on the Azure Blob storage reference
• List all blobs in a container
• List blobs with a specific name prefix
• Import data using a COPY FROM statement
• Export data using a COPY TO statement
• Read content from a blob
• Read, filter, and modify content read from a blob
• Read content from file with custom options (headers, column delimiters, escape characters)
• Use the decoder option
• Compute aggregations over the content of a blob
• Write content to a blob
• List all the references to Azure storage accounts
• Revoke access from a user or role on the Azure Blob storage reference
• Remove reference to storage account

In case you need to review all functions offered by the extension and all the details about each of them, review the full reference:

• azure_storage.account_add
• azure_storage.account_options_managed_identity
• azure_storage.account_options_credentials
• azure_storage.account_options
• azure_storage.account_remove
• azure_storage.account_user_add
• azure_storage.account_user_remove
• azure_storage.account_list
• azure_storage.blob_list
• azure_storage.blob_get
• azure_storage.blob_put
• azure_storage.options_csv_get
• azure_storage.options_copy
• azure_storage.options_tsv
• azure_storage.options_binary

And, if you need to do some troubleshooting, review the list of errors that the extension can produce, and the context in which they can be raised.

Related content

• Quickstart examples for the Azure Storage extension in Azure Database for PostgreSQL
• Troubleshoot the Azure Storage extension in Azure Database for PostgreSQL
• Reference of functions provided by the Azure Storage extension in Azure Database for PostgreSQL
• Azure storage extension in Azure Database for PostgreSQL
• Extensions and modules