Azure Blob Storage File Transfer — Xferity Secure MFT
Azure Blob Storage
Section titled “Azure Blob Storage”Xferity supports Azure Blob Storage as a transfer endpoint for upload and download flows. This covers Azure Storage Accounts in all regions, Azure Government, and local emulation via Azurite.
What Azure Blob is in Xferity
Section titled “What Azure Blob is in Xferity”Azure Blob Storage is an object API transport. Like S3, it does not use session-based directory browsing — it operates via REST API calls to list, get (download), and put (upload) blobs in a container with an optional prefix.
This makes it well-suited for:
- delivering reports or data exports to Azure Storage Accounts
- picking up files from partners who use Azure cloud storage
- staging files for Azure-native downstream services (Azure Functions, Data Factory, Logic Apps)
- archiving encrypted transfers in blob storage
Trust model
Section titled “Trust model”Azure Blob Storage trust depends on:
- TLS to the Azure Blob REST endpoint (HTTPS enforced by the library)
- credentials that authorize read/write access to the specific container
- network access to the storage account endpoint
There is no built-in per-partner message signing like AS2.
Authentication modes
Section titled “Authentication modes”DefaultAzureCredential (managed identity / workload identity)
Section titled “DefaultAzureCredential (managed identity / workload identity)”id: azure-reportsprotocol: azure_blobazure_blob: account_name: companystorageacct container: mft-outbound prefix: reports/ use_default_chain: trueWhen use_default_chain=true, Xferity delegates credential resolution to the Azure SDK DefaultAzureCredential chain, which checks:
AZURE_CLIENT_ID,AZURE_TENANT_ID,AZURE_CLIENT_SECRETenvironment variables- Workload identity (AKS, EKS with OIDC)
- Managed Identity (VM, App Service, Azure Container Instances)
- Azure CLI credentials (
az login) - Azure Developer CLI credentials
Use this for identity-based authentication in Azure environments. No secrets need to be stored in configuration.
Shared account key
Section titled “Shared account key”id: partner-blob-uploadprotocol: azure_blobazure_blob: account_name: partnerexchangestorage account_key: env:PARTNER_AZURE_ACCOUNT_KEY container: incoming-files prefix: uploads/ use_default_chain: falseUse secret references (env:, file:, vault:) for the account_key field.
Connection string
Section titled “Connection string”id: legacy-integration-blobprotocol: azure_blobazure_blob: connection_string: env:LEGACY_AZURE_CONNECTION_STRING container: transfer-staging use_default_chain: falseA connection string contains both endpoint and credentials in a single value. Always store it as a secret reference. Connection string authentication takes precedence over account_name + account_key when both are present.
Local emulation with Azurite
Section titled “Local emulation with Azurite”id: azurite-devprotocol: azure_blobazure_blob: account_name: devstoreaccount1 account_key: env:AZURITE_ACCOUNT_KEY container: mft-dev prefix: test/ endpoint_url: http://localhost:10000/devstoreaccount1 use_default_chain: falseSet endpoint_url to point to a local Azurite emulator or a custom Azure Stack endpoint.
Configuration fields
Section titled “Configuration fields”| Field | Required | Description |
|---|---|---|
account_name | see auth notes | Storage account name. Required for shared-key and default-chain auth. |
account_key | see auth notes | Storage account key or secret reference. Required when use_default_chain=false and no connection_string. |
connection_string | see auth notes | Full connection string or secret reference. Alternative to account_name + account_key. |
container | yes | Blob container name. Must already exist. |
prefix | no | Blob key prefix (no leading slash). Trailing slash stripped automatically. |
endpoint_url | no | Custom blob service endpoint (e.g. Azurite, Azure Stack). |
use_default_chain | no | Use DefaultAzureCredential. Set true for managed identity / workload identity scenarios. |
Auth precedence: connection_string → account_name + account_key → use_default_chain.
Flow example: Azure Blob upload
Section titled “Flow example: Azure Blob upload”flows: reports-to-azure: direction: upload enabled: true target: partner: azure-reports path: reports/daily local: path: ./storage/reports/outgoing files: - pattern: "*.csv" idempotency_mode: hash delete_after_upload: true schedule_cron: "0 0 18 * * 1-5"The path in the target section is appended to the partner’s prefix to form the final blob key prefix. Files are uploaded as block blobs using streaming multipart upload with 4 MiB blocks.
Flow example: Azure Blob download
Section titled “Flow example: Azure Blob download”flows: partner-files-from-azure: direction: download enabled: true source: partner: partner-blob-upload path: uploads/ local: path: ./storage/partner/incoming files: - pattern: "*.xml" idempotency_mode: hash delete_remote_after_decrypt: false schedule_cron: "0 */15 * * * *"The download flow uses PROPFIND-equivalent blob list to enumerate objects under the prefix, then downloads each matching blob to a local temp file before decryption.
Blob upload behavior
Section titled “Blob upload behavior”- Files are uploaded as block blobs using the Azure SDK’s
UploadStreamwith 4 MiB blocks and 3 concurrent upload goroutines. - Uploads are atomic from the service perspective — the blob appears only when all blocks are committed.
- If a transfer fails mid-upload, uncommitted blocks are automatically garbage-collected by Azure Storage after 7 days.
Prefix and path resolution
Section titled “Prefix and path resolution”The effective blob key for a file is:
<partner.prefix>/<flow.target/source.path>/<filename>All segments are normalized — leading/trailing slashes are stripped and double slashes are collapsed.
Hardened mode behavior
Section titled “Hardened mode behavior”In hardened mode, Azure Blob credential fields must use secret references:
account_keymust beenv:,file:, orvault:when setconnection_stringmust beenv:,file:, orvault:when set
Plaintext secrets are rejected at partner config load time.
Common failures
Section titled “Common failures”| Symptom | Likely cause |
|---|---|
AuthenticationFailed | Wrong account key or expired SAS token |
ResourceNotFound (container) | Container does not exist; create it before running flows |
BlobNotFound | Blob was already deleted or prefix is wrong |
| Connection refused | Wrong endpoint_url or Azurite not running |
AccountNameInvalid | Storage account name contains invalid characters |
| List returns empty | Wrong prefix or blobs are in a different path |
| Managed identity not resolved | VM has no assigned identity, or AZURE_CLIENT_ID not set for workload identity |