Azure
Give your agent access to Azure services — Blob Storage, Azure OpenAI, ARM, and more. The Pai sidecar uses the client-credentials OAuth2 flow to obtain a short-lived access token and refreshes it automatically.
Get credentials
- Go to Azure Active Directory → App registrations → New registration.
- Note the Application (client) ID and Directory (tenant) ID.
- Go to Certificates & secrets → New client secret and copy the value.
- Grant the app the required RBAC role on the target resource.
Setup
Store the credentials, then create a Provider:
# 1. Store the credentials in a Pai secret
pai add secret azure-sp \
--from-literal client_id=YOUR_CLIENT_ID \
--from-literal client_secret=YOUR_CLIENT_SECRET
# 2. Create the Provider
pai apply -f - <<EOF
apiVersion: pai.io/v1
kind: Provider
metadata:
name: azure-storage
spec:
type: azure
auth:
type: azure-client-credentials
secretRef: azure-sp
config:
tenantId: "your-tenant-id"
services: [storage]
policy:
allow:
- "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
deny:
- "Microsoft.Storage/storageAccounts/delete"
EOF
Config fields
| Field | Description |
|---|---|
config.tenantId | Azure AD tenant ID |
config.services | Restrict to specific Azure service APIs (e.g. [storage, arm]). Omit to allow all |
Supported actions
Actions use Azure RBAC operation format Provider/resource/action:
| Service | Example actions |
|---|---|
| Blob Storage | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
| Storage accounts | Microsoft.Storage/storageAccounts/read, Microsoft.Storage/storageAccounts/delete |
| ARM (general) | Microsoft.Resources/subscriptions/resourceGroups/read |
Attach to an agent
spec:
providers:
- azure-storage
Access control
policy.allow / policy.deny gate which Azure RBAC operations agents can call; audit.enforcement: audit lets you roll a new policy out safely before flipping it to enforce. See the Policy reference for the full field list and examples.