# Azure Blob Storage Sink Configuration Guide This guide walks you through configuring Microsoft Azure Blob Storage for the purpose of creating an integration with Synqly's Sink connector. The Sink connector writes event batches to your container as compressed JSON files. ## Prerequisites Before you begin, ensure you have: - Access to the [Azure Portal](https://portal.azure.com) with an active subscription - Permission to create storage accounts and containers (or an existing storage account with a container) - Permission to view access keys or generate shared access signatures (SAS) for the storage account ## Required Permissions | Permission | Purpose | | --- | --- | | Write | Write event batches to the container | | List | Verify connectivity during setup | If you use a SAS token (recommended), you can scope these permissions to a single container. If you use an account access key, the key grants full access to the entire storage account. ## 1. Create a Storage Account If you already have a storage account, skip to step 2. 1. In the Azure Portal, navigate to **Storage accounts** and click **Create**. 2. Select your subscription and resource group. 3. Enter a unique **Storage account name** and select a **Region**. 4. Configure the remaining settings to match your organization's requirements and click **Review + Create**, then **Create**. For more details, see [Create a storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create). ## 2. Create a Blob Container 1. Open your storage account in the Azure Portal. 2. In the left menu, navigate to **Data storage > Containers**. 3. Click **+ Container**. 4. Enter a **Name** for the container and click **Create**. Note the **container name** — you will need it when configuring the integration. ## 3. Get a Connection String The Synqly integration authenticates using an Azure Storage connection string. You can use either a SAS-based connection string (recommended) or an account key connection string. SAS Token (Recommended) A shared access signature (SAS) lets you grant scoped, time-limited access to a specific container. This is the least-privilege option. ### Generate a SAS Token 1. Open your storage account in the Azure Portal. 2. In the left menu, navigate to **Security + networking > Shared access signature**. 3. Configure the SAS settings: - **Allowed services**: Select **Blob** only. - **Allowed resource types**: Select **Container** and **Object**. - **Allowed permissions**: Select **Write** and **List**. - **Start and expiry date/time**: Set an appropriate validity window. Plan to rotate the token before it expires. - **Allowed protocols**: Select **HTTPS only**. 4. Click **Generate SAS and connection string**. 5. Copy the **Connection string** value (the one that begins with `BlobEndpoint=`). The SAS connection string is shown only once. Copy it immediately and store it securely. If you lose it, you will need to generate a new SAS token. The SAS connection string follows this format: ``` BlobEndpoint=https://.blob.core.windows.net;SharedAccessSignature= ``` For tighter scoping, you can generate a SAS token at the container level instead of the account level. Navigate to your container, click **Shared access tokens** in the left menu, configure the permissions, and build the connection string manually using the format above with the generated token. Account Access Key An account access key grants full access to the entire storage account. This is simpler to set up but provides broader access than necessary. ### Copy the Connection String 1. Open your storage account in the Azure Portal. 2. In the left menu, navigate to **Security + networking > Access keys**. 3. Click **Show** next to one of the two keys. 4. Copy the **Connection string** value. The account key connection string follows this format: ``` DefaultEndpointsProtocol=https;AccountName=;AccountKey=;EndpointSuffix=core.windows.net ``` Account access keys grant full control over the storage account. Rotate keys periodically and store them securely. Consider creating a dedicated storage account for this integration to limit the blast radius. ## Configure the Integration Create your integration by supplying the following values. | Integration Parameter | Description | | --- | --- | | Credential | The connection string gathered in step 3. Paste the full string as the token secret. | | Container | The name of the blob container created in step 2. | | Path | A prefix path for event files inside the container. | The **Path** field controls where event files land inside your container. Events are written to `{path}/{location}/{YYYY/MM/DD}/{timestamp}.json.gz`. For example, if you set the path to `events/sink`, files will be written to paths like `events/sink/my-location/2026/04/28/2026-04-28T12:00:00.000000000Z.json.gz`. Choose a path that makes it easy to organize and query your event data. ## Additional Resources - [Create a storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create) - [Create a blob container](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal) - [Configure Azure Storage connection strings](https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string) - [Grant limited access with shared access signatures (SAS)](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview) - [Manage storage account access keys](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)