Edit on GitHub

Microsoft Azure Blob Storage

Start with dvc remote add to define the remote. Set a name and a valid Azure Blob Storage URL:

$ dvc remote add -d myremote azure://<mycontainer>/<path>

To set up authentication or other configuration, set any supported config param with dvc remote modify.

Cloud versioning

Requires Blob versioning enabled on the storage account and container.

$ dvc remote modify myremote version_aware true

version_aware (true or false) enables cloud versioning features for this remote. This lets you explore the bucket files under the same structure you see in your project directory locally.


This may require the Storage Blob Data Contributor and other roles on the account.

A storage account name (account_name) is always needed. DVC tries to authenticate with its default credential by default. This uses environment variables (usually set during Azure CLI configuration) or data from certain Microsoft applications.

$ dvc remote modify myremote account_name 'mystorage'

When using default authentication, you may need to enable some of these exclusion parameters depending on your setup (details):

$ dvc remote modify --system myremote \
             exclude_environment_credential true
$ dvc remote modify --system myremote \
             exclude_visual_studio_code_credential true
$ dvc remote modify --system myremote \
             exclude_shared_token_cache_credential true
$ dvc remote modify --system myremote \
             exclude_managed_identity_credential true

For custom authentication, you can set the following config params with dvc remote modify --local, use environment variables, or an Azure CLI config file (in that order).

Authenticate with DVC configuration parameters

The following params are listed in the order in which they are tried.

  • A connection string (connection_string) is used if given (recommended) (account_name is ignored since it's included in the connection string).

    $ dvc remote modify --local myremote \
                                connection_string 'mysecret'
  • If tenant_id, client_id, and client_secret are given, Active Directory (AD) service principal auth is used.

    $ dvc remote modify --local myremote tenant_id 'mytenant'
    $ dvc remote modify --local myremote client_id 'myclient'
    $ dvc remote modify --local myremote client_secret 'mysecret'
  • A storage account key (account_key) or a shared access signature token (sas_token), in this order.

    $ dvc remote modify --local myremote account_key 'mysecret'
    $ dvc remote modify --local myremote sas_token 'mysecret'
  • If allow_anonymous_login is set, then anonymous read access will be tried as a last resort. An account_name is still needed. Only works with public containers.

    $ dvc remote modify myremote allow_anonymous_login true

Authenticate with environment variables

Some of these env vars can be used instead.

For Azure connection string:


For account name and key/token auth:

$ export AZURE_STORAGE_ACCOUNT='myaccount'
# and
$ export AZURE_STORAGE_KEY='mysecret'
# or
$ export AZURE_STORAGE_SAS_TOKEN='mysecret'

For service principal auth (via certificate file):

$ export AZURE_TENANT_ID='directory-id'
$ export AZURE_CLIENT_ID='client-id'
$ export AZURE_CLIENT_CERTIFICATE_PATH='/path/to/certificate'

For simple username/password login:

$ export AZURE_CLIENT_ID='client-id'
$ export AZURE_USERNAME='myuser'
$ export AZURE_PASSWORD='mysecret'

Authenticate with an Azure CLI config file

If no params or env vars are set explicitly, the following values can propagate from an Azure CLI configuration file (typically managed with az config): connection_string, account_name, account_key, sas_token and container_name.

More configuration parameters

See dvc remote modify for more command usage details.

  • url - modify the remote location (scroll up for details)

🐛 Found an issue? Let us know! Or fix it:

Edit on GitHub

Have a question? Join our chat, we will help you:

Discord Chat