Skip to main content
prefect-azure makes it easy to leverage the capabilities of Azure in your workflows. For example, you can retrieve secrets, read and write Blob Storage objects, and deploy your flows on Azure Container Instances (ACI).

Getting started

Prerequisites

  • An Azure account and the necessary permissions to access desired services.

Install prefect-azure

The following command will install a version of prefect-azure compatible with your installed version of prefect. If you don’t already have prefect installed, it will install the newest version of prefect as well.
Upgrade to the latest versions of prefect and prefect-azure:
If necessary, see additional installation options for Blob Storage, Cosmos DB, and ML Datastore. To install prefect-azure with all additional capabilities, run the install command above and then run the following command:

Register newly installed block types

Register the block types in the module to make them available for use.

Examples

Download a blob

Use with_options to customize options on any existing task or flow:

Using Service Principal Authentication

Azure Blob Storage credentials support Service Principal Name (SPN) authentication for secure access to your storage account.
Create an AzureBlobStorageCredentials block with your service principal credentials:
Then reference this block in your prefect.yaml deployment steps:
When all three SPN fields (tenant_id, client_id, client_secret) are provided, the credentials will use ClientSecretCredential for authentication. If any SPN fields are missing, it will fall back to DefaultAzureCredential.

Run flows on Azure Container Instances

Run flows on Azure Container Instances (ACI) to dynamically scale your infrastructure. See the Azure Container Instances Worker Guide for a walkthrough of using ACI in a hybrid work pool. If you’re using Prefect Cloud, ACI push work pools provide all the benefits of ACI with a quick setup and no worker needed.

Managed Identity Authentication for PostgreSQL (Experimental)

prefect-azure includes a plugin that authenticates the Prefect server to Azure Database for PostgreSQL using a Microsoft Entra ID token from a managed identity, so no database password is stored anywhere. The token is acquired via DefaultAzureCredential and supplied to the database driver on every new connection, so short-lived tokens are refreshed automatically.

Prerequisites

Before using managed identity authentication, configure Azure:
  1. Enable Microsoft Entra authentication on your Azure Database for PostgreSQL flexible server.
  2. Create a database principal for the identity and grant it access, using the pgaadauth extension while connected as an Entra administrator:
  3. Make the identity available to the Prefect server — a user-assigned or system-assigned managed identity when running in Azure, or your az login identity when developing locally (both are resolved by DefaultAzureCredential).

Enable the Plugin

  1. Enable the plugin system:
  2. Enable managed identity authentication:
  3. (Optional) Select a specific user-assigned identity by client ID:
  4. Configure a password-less database connection URL (the plugin supplies the token):
The plugin will automatically acquire and inject a Microsoft Entra token as the password when connecting to the database.

Resources

For assistance using Azure, consult the Azure documentation. Refer to the prefect-azure SDK Reference to explore all the capabilities of the prefect-azure library.

Additional installation options

First install the main library compatible with your prefect version:
Then install the additional capabilities you need. To use Blob Storage:
To use Cosmos DB:
To use ML Datastore: