Microsoft Azure Blob Storage

Who can use this feature?
- Available with Data Direct.
- Requires an admin or architect role to configure.

Data Direct functionality will soon become a part of Fullstory Anywhere. To learn more about upcoming changes to Fullstory's product offerings, please visit this page.

Introduction

Microsoft Azure Blob Storage is an object storage service offering industry-leading scalability, data availability, security, and performance. With our Data Direct integration, you can sync Fullstory's structured, behavioral event data directly to Azure Blob Storage so it can be ingested into Azure Data Factory or other pipelines.

Developer documentation

Looking for developer documentation related to Azure Blob Storage destination in Fullstory? See Azure Blob Storage in the Fullstory developer portal.

Enabling the Azure Blob Storage integration

Manual Configuration

Notes:
Fullstory should only be granted access to read/write the data that we will be managing as part of this sync.

Blob Storage Setup Instructions

Step 1: Create a Storage Account

You can create a new Storage Account by navigating to Storage Accounts.

  1. Select Create.
  2. Name your subscription and select instance details depending on your preferences.

Step 2: Create a Blob Storage container

  1. Navigate to Data Storage > Containers.
  2. Click Add Container.
  3. Choose the desired name. This will act as the top-level directory for Fullstory Blob Storage syncs.

Setup Roles and Policies

Fullstory uses Azure Federated Identity Credentials on Azure Managed Identities to provide authentication for our Google Service Accounts to upload data securely. These roles should not be permitted to access any other data. The following instructions assume a subscription to an Azure Storage Account.

Fullstory’s services will use these federated credentials to assume the roles with Fullstory service account IDs listed below.

  1. Navigate to Managed Identities and select create.
    1. Use an existing Resource Group or create new as desired
    2. Ensure roles are set for either owner or contributor of the managed identity.
  2. Configure federated credential on your managed identity. Use either the Azure Portal or the Azure Command-Line Interface (AZ CLI) to create federated-credential using the following Fullstory service account IDs (if your Fullstory org ID has eu1 in it, then you are a European customer):

For North American customers:

116984388253902328461

For European customers:

107589159240321051166
    1. Option 1 (Azure Portal):
      1. Navigate to Managed Identities.
      2. Add a Role Assignment
        1. Select the desired identity and click Add Role Assignment.
        2. Select Storage scope.
        3. Select the resource of the Storage Account (corresponding to the Storage Container created in Blob Storage Setup Instructions above).
        4. Set Role as Storage Blob Data Contributor.
      3. Create federated credential on the managed identity to allow Fullstory’s GCP services to authenticate blob storage syncs.
        1. Click Settings > Federated credentials.
        2. Click Add Federated Credential.
        3. Click "Other" for Federated credential scenario.
        4. Set Issuer URL as https://accounts.google.com.
        5. Set Subject identifier as the Fullstory service account ID for the desired environment listed above.
        6. Keep Audence as api://AzureADTokenExchange and provide a name for the credential.
        7. Click Add.
    2. Option 2 (Azure Command-Line Interface):
      1. Install the Azure CLI.
      2. Run federated-credential creation using Fullstory’s service account IDs from above.
      3. az identity federated-credential create --name myIdentityCredentialName --identity-name myIdentityName --resource-group myResourceGroup --issuer https://accounts.google.com --subject <Unique ID for Google service account> --audience api://AzureADTokenExchange

Setting a network exception (optional)

In some cases, Azure Storage Accounts are only enabled from selected virtual networks and IP addresses. To allow-list Fullstory to connect to the provided Azure instance, the CIDR block for the IP addresses can be used:

  • NA: 8.35.195.0/29
  • EU: 34.89.210.80/29

To create the network policy and apply it to th Fullstory Azure user, follow these instructions:

  1. Navigate to your Storage Account.
  2. Click on Security + Networking > Networking.
  3. Under Firewall > Address Range, add the CIDR block from the list above.

Enabling the Azure Blob Storage Integration in Fullstory

Now that all of the resources have been created, all that is left is to provide Fullstory with the correct identifiers to make a secure connection to load data.

  1. In Fullstory, navigate to Settings > Integrations > Destinations.
  2. Click Install next to the Azure Blob Storage OptionScreenshot 2024-09-30 at 10.04.33 AM.png
  3. Using the values recorded in the previous steps, fill in the form. See additional notes below regarding the Container Path Prefix and Storage Account URL fields. Screenshot 2024-09-30 at 10.06.05 AM.png
    Container Path Prefix

    For the Container Path Prefix, only the top-level container name is required in this field. You may optionally provide a directory path after the container name.

    Once setup is complete, The events parquet file will be created using the following path structure:

    fullstory_<org_id>/events/ingested_time=yyyy-MM-dd HH:mm:ss/<file_name>.parquet

    You can specify a container without an additional path. For example, if mycontainer is specified as the Container Path Prefix, the events parquet file will be created at:

    mycontainer/fullstory_<org_id>/events/ingested_time=yyyy-MM-dd HH:mm:ss/<file_name>.parquet

    You can also specify a container with additional directories in the path. For example, if mycontainer/sub/directory is specified as the Container Path Prefix, the events parquet file will be created at:

    mycontainer/sub/directory/fullstory_<org_id>/events/ingested_time=yyyy-MM-dd HH:mm:ss/<file_name>.parquet

    If successful, a .perm_verify file will be uploaded into the container provided as a confirmation, as shown in the screenshot below:

    perm_verify.png

    Storage Account URL

    The expected structure for Storage Account URL is the base default endpoint for your storage container, with the following structure: https://<hostname>.

    For example, if your storage account is named mystorageaccount, then the Storage Account URL would be https://mystorageaccount.blob.core.windows.net
  4. Click Save.

After saving, data will flow into your storage container path within an hour.

FAQ

Can you set up more than one data destination in your account?
Yes. Repeat setup steps for different destinations as needed.

Do you have developer documentation for the Azure Blob Storage data destination?
Yes. See Azure Blob Storage in the Fullstory developer portal.

Was this article helpful?

Articles in this section

See more

Got Questions?

Get in touch with a Fullstory rep, ask the community or check out our developer documentation.

Technical Support Support
Ask the Community Community
Dev Docs Dev Docs