Cloud Integrations
Azure Blob
There are three parts to integrating Azure with Encord:
Paste the tenant ID into Step 4 of the Azure integrations window, after you have added the cord-integrator app, granted it storage account, and container permissions and located your Azure tenant.
In the example above, preflight requests are valid for 1 hour. Use the ‘Max Age’ variable to adjust the number of seconds the browser is allowed to make requests before it must repeat the preflight request.
Paste the URL of any object in your Azure storage and click Check Encord can access this URL. If the test is successful a green tick appears next to Encord infrastructure and This machine.
Shared access tokens expire and have to be updated in order to continue providing Encord with access to your Azure storage.
To update the account-level SAS token:
- Creating the integration with the Encord platform.
- Authenticating your storage account for integration on the Azure platform.
Ensure that all objects in your Azure Blob have the Hot Tier access tier.
- Setting up Cross-Origin Resource Sharing (CORS) on Azure.
1. Start Setting up the Integration
- In Encord, navigate to the Integrations section and click the Add integration button.
- Click on Azure.
- Give your integration a meaningful name.
2. Register the Azure storage account with Encord
- Paste the name of your Azure storage account into Step 2 of the integration.
3. Select authentication type
Select your preferred method of authentication in Step 3 the Azure integration window.4. Authenticate Azure
You can authenticate Azure in two different ways:Using a service principal to authenticate requires admin privileges for the Azure account.
Method 1: Generating an Account-Level SAS
- In Azure, navigate to Storage Accounts under Azure services and select the storage account you wish to integrate.
- Next, click on Shared access signature in the Security + networking section.
- You must check the Container and Object checkboxes under the Allowed resource types heading. Ensure you add the necessary permissions:
- Read (required)
- List (required)
- Write (recommended)
- Add (recommended)
- Create (recommended)
recommended permissions are necessary to use some of our more advanced features such as re-encoding data, and image sequences.
- Click Generate SAS and connection string when you are ready to generate your account-level SAS token.
Your SAS token has a start and end date that can be adjusted, and is valid for the specified time period. Expired tokens must be updated.
To avoid having to update the token frequently, set the expiration date to be more than one year.
- Paste the SAS token into Step 4 of the Azure integration window, in Encord.
Method 2: Using a Service Principal
Using a service principal to authenticate you require you to:Adding the cord-integrator app to Azure tenant
There are three different ways to add the cord-integrator app to Azure tenant:- Using a browser.
- Using Azure powershell.
-
By granting storage account and container permissions to
cord-integrator.
You need to have admin privileges for your Azure account to authenticate via a service principal.
Adding the cord-integrator app in a browser
You can add the cord-integrator application in the Settings of the Encord app. If logged in to the Encord platform, you are redirected to the ‘Azure integration’ screen after the application was successfully added.
Adding the cord-integrator app via Azure Powershell
Granting storage account and container permissions to cord-integrator
The cord-integrator must be granted two types of permissions in order to function:- The Storage Blob Data Contributor role at the container level
- The Storage Blob Delegator role at the storage account level
Find your Azure tenant ID
You can find the Azure Tenant ID in the Active Directory overview of your Azure project.5. Creating a CORS Configuration in Azure
A CORS configuration must be applied to the Azure storage account you want to integrate with Encord. This enables Encord to request resources from the specified service account using a browser.- Navigate to the Resource Sharing (CORS) section under Settings of your storage account.
- Input the following values in the Blob service tab of Resource Sharing (CORS) page:
| Allowed origins | Allowed methods | Allowed headers | Exposed headers | Max age |
|---|---|---|---|---|
| <https://app.encord.com\> | GET, POST, OPTIONS, PUT | * | * | 3600 |
| <https://api.encord.com\> | GET, POST, OPTIONS, PUT | * | * | 3600 |
| <https://app.us.encord.com\> | GET, POST, OPTIONS, PUT | * | * | 3600 |
| <https://api.us.encord.com\> | GET, POST, OPTIONS, PUT | * | * | 3600 |
For customers working with teams in India
For customers working with teams in India
Some users find it more reliable to access our Encord App deployment focused for Indian users. Instruct your team based in India to use https://app.in.encord.com and add that domain to your permitted CORS settings.
| Allowed origins | Allowed methods | Allowed headers | Exposed headers | Max age |
|---|---|---|---|---|
| <https://app.encord.com\> | GET, POST, OPTIONS, PUT | * | * | 3600 |
| <https://api.encord.com\> | GET, POST, OPTIONS, PUT | * | * | 3600 |
| <https://app.in.encord.com\> | GET, POST, OPTIONS, PUT | * | * | 3600 |
- Click Save to save the CORS configuration.
- Click Create to finish setting up the integration, in Encord.
6. Test Your Integration
Click the Run a test button on the integration, to test that the integration works.Updating Expired Account-Level SAS Tokens
This section is only applicable if you used an account-level shared access token to authenticate.
- Click the three dots icon on your Azure integration.
- Click Update SAS token.
- In Azure, navigate to Storage Accounts under Azure services and select the storage account you wish to update the token for.
- Click on Shared access signature in the Security + networking section.
- You must check the Container and Object checkboxes under the Allowed resource types heading. Ensure you add the necessary permissions:
- Read (required)
- List (required)
- Write (recommended)
- Add (recommended)
- Create (recommended)
recommended permissions are necessary to use some of our more advanced features such as re-encoding data, and image sequences.
- Click Generate SAS and connection string to generate a new account-level SAS token.
Your SAS tokens have a start and end date that can be adjusted, and are only be valid for the specified time period. Expired tokens must be updated.
To avoid having to update the token frequently, set the expiration date to be more than one year.
- Paste the new SAS token, in Encord.