Azure Blob Storage
This guide covers setting up an Azure Blob Storage connector in Slim.io using a Service Principal with OAuth2 client credentials.
Prerequisites
- An Azure subscription with Storage Accounts containing blobs you want to scan
- Azure Active Directory permissions to create app registrations
- Access to the Azure Portal or Azure CLI
Service Principal Setup
Step 1: Create an App Registration
- In the Azure Portal, navigate to Azure Active Directory > App registrations.
- Click New registration.
- Name it
slim-io-scanner(or your preferred name). - Set Supported account types to “Accounts in this organizational directory only.”
- Click Register.
Step 2: Create a Client Secret
- In the app registration, go to Certificates & secrets.
- Click New client secret.
- Set a description (e.g., “Slim.io Scanner”) and expiration period.
- Click Add and immediately copy the secret value — it will not be shown again.
Store the client secret securely. It is displayed only once upon creation. If lost, you must generate a new secret and update the connector configuration in Slim.io.
Step 3: Grant Storage Access
- Navigate to the target Storage Account in the Azure Portal.
- Go to Access control (IAM) > Role assignments.
- Click Add > Add role assignment.
- Select the Storage Blob Data Reader role.
- Assign it to the
slim-io-scannerapp registration. - Click Save.
Repeat for each storage account you want to scan, or assign the role at the resource group or subscription level for broader access.
Step 4: Note the Required Values
Collect these values from the Azure Portal:
| Value | Location |
|---|---|
| Tenant ID | Azure AD > Overview > Tenant ID |
| Client ID | App registration > Overview > Application (client) ID |
| Client Secret | Created in Step 2 |
| Storage Account Name | Storage Account > Overview |
Connector Configuration in Slim.io
- Navigate to Connectors > Add Connector in the Customer Dashboard.
- Select Microsoft Azure.
- Enter the Tenant ID, Client ID, and Client Secret.
- Enter the Storage Account Name.
- Optionally, configure container filters and prefix scope.
- Click Test Connection.
If the test succeeds, the connector status changes to Active.
Required RBAC Roles
| Role | Purpose |
|---|---|
Storage Blob Data Reader | Read access to blob data in the storage account |
The Reader role alone is not sufficient — it grants management plane access but not data plane access. You specifically need Storage Blob Data Reader for Slim.io to read blob contents.
Multi-Storage Account Setup
For organizations with multiple storage accounts, you have two options:
- One connector per storage account — Create a separate connector for each storage account with its own Service Principal
- Shared Service Principal — Use a single Service Principal with
Storage Blob Data Readerassigned at the subscription or resource group level, then create one connector per storage account referencing the same credentials
Option 2 reduces credential management overhead but grants broader access.
Troubleshooting
”Authorization Failed” on Test Connection
- Verify the Tenant ID and Client ID are correct
- Confirm the client secret has not expired
- Check that
Storage Blob Data Readeris assigned on the correct storage account (not just theReaderrole)
“Storage Account Not Found”
- Verify the storage account name is spelled correctly (case-sensitive)
- Ensure the storage account is in the same Azure AD tenant as the Service Principal
Client Secret Rotation
When rotating client secrets:
- Create a new secret in the app registration
- Update the connector in Slim.io with the new secret value
- Test the connection to verify
- Delete the old secret from Azure AD
Next Steps
- Run Your First Scan — Trigger a scan on this connector
- Event-Driven Scanning — Set up automatic scans via Azure Event Grid