Roles & Permissions (Azure)

Roles & Permissions (Azure)


In order for Matillion ETL to detect Azure Blob Storage containers, additional credentials may be required. Matillion ETL can either use Instance Credentials or User Defined Credentials, the latter of which will require you to gather credentials from your Azure account and enter them into the Matillion ETL client.


Using Identities (Instance Credentials)

1. To use Instance Credentials, your Matillion ETL VM must already be set up. If you wish to use a User Identity (as opposed to a System Assigned Identity, which is unique to the VM) then you will need to search for the Managed Identities blade on the Azure Portal and set one up, if you have not already done so.

2. From the Azure Portal, browse to Virtual Machines and select the virtual machine containing your instance and select Identity from the menu.

  • If you wish to use a System Assigned Identity, select that tab and set the Status to On. Make note of the Object ID.
  • If you wish to use a User Assigned Identity, select User assigned and Add a User Identity of your choice. Make note of the User Identity name.


3. Now browse to Storage accounts on the Azure Portal and select the account(s) that contains Blob Storage that you wish for Matillion ETL to have access to. 

4. Select Access control (IAM).

Choose the Role of Owner from the dropdown.

  • For System Assigned Identities, set the Assign access to dropdown to Virtual Machine and select/search the VM that you turned on System Assigned Identity.
  • For User Assigned Identities, set the Assign access to dropdown to Azure AD user, group, or application and select/search for the User Identity you assigned to your VM.

 

Using Apps (User Defined Credentials)


Creating an App and Owning Storage Accounts To add Storage Accounts to Matillion ETL,we must first create an App. This requires a user with the 'Application administrator' directory role.

1. From the Azure Portal navigate to Azure Active Directory → App registrations and click New application registration.

2. Give this new App any name and Sign-On URL. Ensure that Web app / API is selected for the Application type.



7. If you haven't already, add a Blob Storage resource to this storage account.

8. Return to the storage account and browse to Overview → Blobs. To add a new container, click the + Container button, give it a name and click OK.

Now, when you import details from your App into Matillion ETL, your client will be able to discover those buckets the App has ownership of. To use this App in your Matillion ETL client, see the next section.

Gathering Azure credentials 

For a Matillion ETL instance to take advantage of Azure resources, you are required to provide credentials in the form of a Tenant ID, which is unique to your Azure account, then a Client ID and Secret Key which are taken from a Registered App.
 

Tenant ID

From the Azure Portal, browse to Azure Active Directory → Properties and take the Directory ID as your Tenant ID.


Client ID

Browse from the Azure Portal to Azure Active Directory → App Registrations → Registered App and select an App that is associated with your desired Storage Accounts. Take the Application ID as your Client ID.

Secret Key

Browse from the Azure Portal to Azure Active Directory → App Registrations → Registered App. Select the App associated with your desired Storage Accounts, then navigate to Settings → Keys and create a new key for your instance.