Azure
Give your agent access to Azure services — Blob Storage, Azure OpenAI, ARM, and more. The Pai sidecar uses the client credentials flow to obtain a short-lived OAuth2 token and refreshes it automatically.
Get credentials
- Go to Azure Active Directory → App registrations → New registration
- Note the Application (client) ID and Directory (tenant) ID
- Go to Certificates & secrets → New client secret, copy the value
- Grant the app the required RBAC role on the target resource
Setup
# 1. Store the credentials
pai add secret azure-sp \
--from-literal client_id=YOUR_CLIENT_ID \
--from-literal client_secret=YOUR_CLIENT_SECRET
# 2. Create the provider
pai apply -f - <<EOF
apiVersion: pai.io/v1
kind: Provider
metadata:
name: azure-storage
spec:
type: azure
auth:
type: azure-client-credentials
secretRef: azure-sp
config:
tenantId: "your-tenant-id"
services: [storage]
policy:
allow:
- "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
deny:
- "Microsoft.Storage/storageAccounts/delete"
EOF
Attach to an agent
spec:
providers:
- azure-storage
Config fields
| Field | Description |
|---|---|
config.tenantId | Azure AD tenant ID |
config.services | Restrict to specific Azure service APIs (e.g. [storage, arm]). Omit to allow all |
Supported actions
Actions use Azure RBAC operation format Provider/resource/action:
| Service | Example actions |
|---|---|
| Blob Storage | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
| Storage accounts | Microsoft.Storage/storageAccounts/read, Microsoft.Storage/storageAccounts/delete |
| ARM (general) | Microsoft.Resources/subscriptions/resourceGroups/read |