Azure Blob Storage

DatoCMS allows you to use your own Azure and Imgix accounts to store your project assets. This allows to be in total control of your data, and to offer a custom CDN domain for your assets — which, by default is www.datocms-assets.com for every project.

How to activate a custom Azure Blob Storage for your DatoCMS project

To store your DatoCMS assets in a custom Azure Blob Storage container please follow these steps:

Create a new container

Inside your Microsoft Azure dashboard:

1. Enter the Storage accounts service

2. Select the storage account where you want to create a new container (or create a new one)

3. Enter the Data Storage > Containers section

4. Create a new container

Enable CORS on storage account

Inside your Microsoft Azure dashboard:

1. Enter the Storage accounts service

2. Select the storage account where you want to create a new container

3. Enter the Settings > Resource sharing (CORS) section

Add the following settings, then press Save:

• Allowed origins: *

• Allowed methods: PUT

• Allowed headers: content-type,x-ms-blob-type

Create a new Application

Inside your Microsoft Azure dashboard:

1. Enter the Microsoft Entra ID service

2. Enter the Manage > App Registrations section

3. Press the New registration button

4. Give a name to the new application (ie. DatoCMS Custom Storage)

5. Press the Register button

6. Enter the Manage > Certificate & secrets section

7. Select the Client secrets tab

8. Press the New client secret button

9. Specify 730 days (24 months) in the Expires field

10. Press the Add button

11. Copy the Value of the secret

Now go back to the Overview section, and copy the Directory (tenant) ID and Application (client) ID:

Create a custom role

Inside your Microsoft Azure dashboard:

1. Enter the Storage accounts service

2. Select the storage account where you want to create a new container

3. Enter the Access Control (IAM) section

4. Select the Roles tab

5. Search the "Storage Blob Data Reader" role, and select Clone

Inside the Create a custom role modal flow, edit the role to apply the following characteristics, making sure to replace the <ID>, <SUBSCRIPTION_ID> and <STORAGE_ACCOUNT_ID> with the correct values:

1
{
2
    "id": "<ID>",
3
    "properties": {
4
        "roleName": "Storage Blob Data Reader and Writer",
5
        "description": "",
6
        "assignableScopes": [
7
            "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/DatoCMS-Integration-Test/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_ID>"
8
        ],
9
        "permissions": [
10
            {
11
                "actions": [
12
                    "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
13
                ],
14
                "notActions": [],
15
                "dataActions": [
16
                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
17
                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
18
                ],
19
                "notDataActions": []
20
            }
21
        ]
22
    }
23
}

Assign the role to the application

Inside your Microsoft Azure dashboard:

1. Enter the Storage accounts service

2. Select the storage account where you want to create a new container

3. Enter the Access Control (IAM) section

4. Select Add > Add role assignment

5. Under the Role tab, select the newly created Storage Blob Data Reader and Writer role

6. Select Next

7. Under the Members tab, press Select members, and choose the DatoCMS Custom Storage application

8. Under the Conditions tab, press Add condition

9. Under Editor type, select Code

Now inside the code editor, paste the following code, making sure to replace <CONTAINER_NAME> with the name of your container:

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
 )
 OR
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '<CONTAINER_NAME>'
 )

Select Save, then Review + assign.

Create an Imgix source

Go to Imgix and create a new account. Create a new source, and link it to the Azure container you just created.

Adding a custom domain

If you're not satisfied with the default Imgix subdomain (ie. https://your-source.imgix.net) you can add a custom domain to the Imgix source, then configure your domain DNS settings so that its CNAME record points to your-source.imgix.net:

Enable HTTPS for the Imgix source

DatoCMS requires HTTPS for custom domains. There are two different ways you can enable it. The first one is to request an HTTP certificate to Imgix. From the Imgix documentation:

By default, you will only be able to use the custom subdomain with http. Using https requires an SSL certificate through our CDN partner and incurs additional fees—please contact Imgix Support to set this up.

Alternatively, to get HTTPS for free, you can use Cloudflare on top of Imgix. This is a cheaper alternative, but requires changing your original domain nameservers to the Cloudflare nameservers, which is something you might not want, and might have some impacts in the way assets are returned.

Send request for custom uploads to DatoCMS support

Once everything is ready, send an email to support@datocms.com and request the change. These are the information we'll ask you for:

• The name of your Azure Storage Account

• The name of your Container

• The Directory (tenant) ID, Application (client) ID and Client Secret Value of your Azure Application

• The Imgix domain (ie. your-source.imgix.net or assets.superduper.com)

Together we'll schedule a maintenance window where we'll transfer every assets already uploaded to your Project to the new Azure container, and enable the custom domain.

From then on all new assets you upload will be stored in your Azure Blob Storage container, and will be available from your custom Imgix domain.