Azure Integrations
Spice.ai integrates with Microsoft Azure for data federation, AI inference, embeddings, and authentication. This page consolidates Azure-compatible components and links to the relevant configuration guides.
Data Connectors
Data connectors federate SQL queries across Azure data sources without data movement.
| Connector | Description | Documentation |
|---|---|---|
| Azure Blob Storage / ADLS Gen2 | Query Parquet, CSV, and JSON files in Azure Blob Storage or ADLS Gen2 using the abfs:// scheme. | ABFS Data Connector |
| Azure SQL Database / SQL Server | Connect to Azure SQL Database, Azure SQL Managed Instance, and SQL Server VMs. | MSSQL Data Connector |
| Azure Database for PostgreSQL | Connect to flexible server and single server deployments using the PostgreSQL connector. | PostgreSQL Data Connector |
| Azure Database for MySQL | Connect to flexible server deployments using the MySQL connector. | MySQL Data Connector |
| Azure Databricks | Query Databricks tables on Azure using SQL Warehouse or Spark Connect. | Databricks Data Connector |
| Apache Iceberg (ADLS) | Query Iceberg tables stored in ADLS Gen2 with REST or Unity Catalog metadata. | Iceberg Data Connector |
| Delta Lake (ADLS) | Query Delta Lake tables stored in ADLS Gen2 or Azure Blob Storage. | Delta Lake Data Connector |
| Microsoft SharePoint | Index and query documents from SharePoint sites and OneDrive for Business with Microsoft Entra ID authentication. | SharePoint Data Connector |
| Azure-hosted databases via ODBC | Connect through ODBC drivers for additional Azure-compatible data sources. | ODBC Data Connector |
Example: Azure Blob Storage (ABFS)
datasets:
- from: abfs://[email protected]/path/to/data/
name: events
params:
file_format: parquet
abfs_account: account
abfs_use_emulator: 'false'
Example: Azure SQL Database
datasets:
- from: mssql:dbo.orders
name: orders
params:
mssql_connection_string: |
Server=tcp:my-server.database.windows.net,1433;
Database=mydb;
Authentication=Active Directory Default;
Encrypt=True;
Example: Azure Databricks
datasets:
- from: databricks:catalog.schema.table
name: orders
params:
mode: spark_connect
databricks_endpoint: my-workspace.azuredatabricks.net
databricks_token: ${ secrets:DATABRICKS_TOKEN }
Catalog Connectors
Catalog connectors provide schema discovery and unified access to tables in Azure data catalogs.
| Connector | Description | Documentation |
|---|---|---|
| Databricks Unity Catalog | Discover and query tables governed by Unity Catalog on Azure Databricks. Supports Azure Blob authentication for table data. | Unity Catalog |
| Databricks Catalog | Connect to Azure Databricks as a catalog source for federated queries. | Databricks Catalog |
Example: Unity Catalog with Azure Blob
catalogs:
- from: unity_catalog
name: my_catalog
params:
unity_catalog_endpoint: https://my-workspace.azuredatabricks.net
unity_catalog_token: ${ secrets:DATABRICKS_TOKEN }
unity_catalog_azure_storage_account_name: mystorageacct
unity_catalog_azure_storage_client_id: ${ secrets:AZURE_CLIENT_ID }
unity_catalog_azure_storage_client_secret: ${ secrets:AZURE_CLIENT_SECRET }
AI Models (Azure OpenAI)
Spice integrates with Azure OpenAI Service for chat completion and reasoning models, including GPT-4 family, GPT-5, and o-series models.
| Provider | Supported Models | Documentation |
|---|---|---|
| Azure OpenAI | GPT-4, GPT-4o, GPT-5, o-series, and other deployments. | Azure OpenAI Models |
Example: Azure OpenAI Chat Model
models:
- from: azure:gpt-4o
name: gpt
params:
endpoint: ${ secrets:SPICE_AZURE_AI_ENDPOINT }
azure_deployment_name: gpt-4o
azure_api_version: 2024-08-01-preview
azure_api_key: ${ secrets:SPICE_AZURE_API_KEY }
For Microsoft Entra ID authentication instead of an API key, set azure_entra_token in place of azure_api_key.
Secret Stores
Spice resolves secrets at runtime from configured secret stores. For Azure deployments, the azure_keyvault store reads secrets directly from Azure Key Vault, so Spicepods can reference connector and model credentials without baking them into environment variables or values.yaml.
| Provider | Supported Auth Methods | Documentation |
|---|---|---|
| Azure Key Vault | service_principal, managed_identity, workload_identity, cli, default. | Azure Key Vault Secret Store |
Example: Azure Key Vault Secret Store
secrets:
- from: azure_keyvault:prod-vault
name: azure
params:
auth_method: workload_identity
datasets:
- from: postgres:public.taxi_trips
name: taxi_trips
params:
pg_host: postgres.example.com
pg_user: ${azure:postgres_user}
pg_pass: ${azure:postgres_password}
Logical key names use underscores; the store automatically translates them to Key Vault names like spice-postgres-user (with a fallback to postgres-user). Pair azure_keyvault with AKS workload identity or a Container Apps managed identity so the runtime authenticates without long-lived credentials.
Embeddings (Azure OpenAI)
Generate vector embeddings using Azure OpenAI deployments for semantic search and retrieval-augmented generation (RAG).
| Provider | Supported Models | Documentation |
|---|---|---|
| Azure OpenAI | text-embedding-3-small, text-embedding-3-large, text-embedding-ada-002. | Azure OpenAI Embeddings |
Example: Azure OpenAI Embeddings
embeddings:
- from: azure:text-embedding-3-small
name: azure_embed
params:
endpoint: ${ secrets:SPICE_AZURE_AI_ENDPOINT }
azure_deployment_name: text-embedding-3-small
azure_api_version: 2023-05-15
azure_api_key: ${ secrets:SPICE_AZURE_API_KEY }
Refer to the Azure OpenAI Service models for the full list of supported models and regions.
Authentication
All Azure integrations support the standard Azure Identity DefaultAzureCredential chain. When credentials are not explicitly configured, Spice attempts the following in order:
- Environment variables — service principal (
AZURE_CLIENT_ID,AZURE_TENANT_ID,AZURE_CLIENT_SECRET), certificate (AZURE_CLIENT_CERTIFICATE_PATH), or username/password. - Workload Identity — federated tokens on AKS via
AZURE_FEDERATED_TOKEN_FILE. See Workload Identity for AKS. - Managed Identity — system-assigned or user-assigned identities on Azure VMs, AKS, Container Apps, and ACI. See Managed identities for Azure resources.
- Azure CLI — cached credentials from a local
az loginsession. - Azure Developer CLI / Azure PowerShell — used when the corresponding CLI is signed in.
For a deployment-side overview of these mechanisms, see the Authentication section of the Azure deployment guide.
Role Assignments
Each principal must have the appropriate Azure RBAC role for the services it accesses:
| Service | Common role(s) |
|---|---|
| Azure Blob Storage / ADLS Gen2 | Storage Blob Data Reader or Storage Blob Data Contributor |
| Azure Key Vault | Key Vault Secrets User (data plane) or RBAC equivalent |
| Azure SQL Database | Database-level role assignments granted to the Entra principal |
| Azure OpenAI | Cognitive Services OpenAI User |
| Azure Container Registry | AcrPull for image pulls |
When a Spicepod connects to multiple Azure services, ensure roles are granted on every resource the runtime touches.
Cookbooks
- Azure OpenAI Models — vector search and chat over structured and unstructured data with Azure OpenAI.
