Version: Next

Azure Integrations

Spice.ai integrates with Microsoft Azure for data federation, AI inference, embeddings, and authentication. This page consolidates Azure-compatible components and links to the relevant configuration guides.

Data Connectors

Data connectors federate SQL queries across Azure data sources without data movement.

Connector	Description	Documentation
Azure Blob Storage / ADLS Gen2	Query Parquet, CSV, and JSON files in Azure Blob Storage or ADLS Gen2 using the `abfs://` scheme.	ABFS Data Connector
Azure SQL Database / SQL Server	Connect to Azure SQL Database, Azure SQL Managed Instance, and SQL Server VMs.	MSSQL Data Connector
Azure Database for PostgreSQL	Connect to flexible server and single server deployments using the PostgreSQL connector.	PostgreSQL Data Connector
Azure Database for MySQL	Connect to flexible server deployments using the MySQL connector.	MySQL Data Connector
Azure Databricks	Query Databricks tables on Azure using SQL Warehouse or Spark Connect.	Databricks Data Connector
Apache Iceberg (ADLS)	Query Iceberg tables stored in ADLS Gen2 with REST or Unity Catalog metadata.	Iceberg Data Connector
Delta Lake (ADLS)	Query Delta Lake tables stored in ADLS Gen2 or Azure Blob Storage.	Delta Lake Data Connector
Microsoft SharePoint	Index and query documents from SharePoint sites and OneDrive for Business with Microsoft Entra ID authentication.	SharePoint Data Connector
Azure-hosted databases via ODBC	Connect through ODBC drivers for additional Azure-compatible data sources.	ODBC Data Connector

Example: Azure Blob Storage (ABFS)

datasets:
  - from: abfs://[email protected]/path/to/data/
    name: events
    params:
      file_format: parquet
      abfs_account: account
      abfs_use_emulator: 'false'

Example: Azure SQL Database

datasets:
  - from: mssql:dbo.orders
    name: orders
    params:
      mssql_connection_string: |
        Server=tcp:my-server.database.windows.net,1433;
        Database=mydb;
        Authentication=Active Directory Default;
        Encrypt=True;

Example: Azure Databricks

datasets:
  - from: databricks:catalog.schema.table
    name: orders
    params:
      mode: spark_connect
      databricks_endpoint: my-workspace.azuredatabricks.net
      databricks_token: ${ secrets:DATABRICKS_TOKEN }

Catalog Connectors

Catalog connectors provide schema discovery and unified access to tables in Azure data catalogs.

Connector	Description	Documentation
Databricks Unity Catalog	Discover and query tables governed by Unity Catalog on Azure Databricks. Supports Azure Blob authentication for table data.	Unity Catalog
Databricks Catalog	Connect to Azure Databricks as a catalog source for federated queries.	Databricks Catalog

Example: Unity Catalog with Azure Blob

catalogs:
  - from: unity_catalog
    name: my_catalog
    params:
      unity_catalog_endpoint: https://my-workspace.azuredatabricks.net
      unity_catalog_token: ${ secrets:DATABRICKS_TOKEN }
      unity_catalog_azure_storage_account_name: mystorageacct
      unity_catalog_azure_storage_client_id: ${ secrets:AZURE_CLIENT_ID }
      unity_catalog_azure_storage_client_secret: ${ secrets:AZURE_CLIENT_SECRET }

AI Models (Azure OpenAI)

Spice integrates with Azure OpenAI Service for chat completion and reasoning models, including GPT-4 family, GPT-5, and o-series models.

Provider	Supported Models	Documentation
Azure OpenAI	GPT-4, GPT-4o, GPT-5, o-series, and other deployments.	Azure OpenAI Models

Example: Azure OpenAI Chat Model

models:
  - from: azure:gpt-4o
    name: gpt
    params:
      endpoint: ${ secrets:SPICE_AZURE_AI_ENDPOINT }
      azure_deployment_name: gpt-4o
      azure_api_version: 2024-08-01-preview
      azure_api_key: ${ secrets:SPICE_AZURE_API_KEY }

For Microsoft Entra ID authentication instead of an API key, set azure_entra_token in place of azure_api_key.

Secret Stores

Spice resolves secrets at runtime from configured secret stores. For Azure deployments, the azure_keyvault store reads secrets directly from Azure Key Vault, so Spicepods can reference connector and model credentials without baking them into environment variables or values.yaml.

Provider	Supported Auth Methods	Documentation
Azure Key Vault	`service_principal`, `managed_identity`, `workload_identity`, `cli`, `default`.	Azure Key Vault Secret Store

Example: Azure Key Vault Secret Store

secrets:
  - from: azure_keyvault:prod-vault
    name: azure
    params:
      auth_method: workload_identity

datasets:
  - from: postgres:public.taxi_trips
    name: taxi_trips
    params:
      pg_host: postgres.example.com
      pg_user: ${azure:postgres_user}
      pg_pass: ${azure:postgres_password}

Logical key names use underscores; the store automatically translates them to Key Vault names like spice-postgres-user (with a fallback to postgres-user). Pair azure_keyvault with AKS workload identity or a Container Apps managed identity so the runtime authenticates without long-lived credentials.

Embeddings (Azure OpenAI)

Generate vector embeddings using Azure OpenAI deployments for semantic search and retrieval-augmented generation (RAG).

Provider	Supported Models	Documentation
Azure OpenAI	`text-embedding-3-small`, `text-embedding-3-large`, `text-embedding-ada-002`.	Azure OpenAI Embeddings

Example: Azure OpenAI Embeddings

embeddings:
  - from: azure:text-embedding-3-small
    name: azure_embed
    params:
      endpoint: ${ secrets:SPICE_AZURE_AI_ENDPOINT }
      azure_deployment_name: text-embedding-3-small
      azure_api_version: 2023-05-15
      azure_api_key: ${ secrets:SPICE_AZURE_API_KEY }

Refer to the Azure OpenAI Service models for the full list of supported models and regions.

Authentication

All Azure integrations support the standard Azure Identity DefaultAzureCredential chain. When credentials are not explicitly configured, Spice attempts the following in order:

Environment variables — service principal (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET), certificate (AZURE_CLIENT_CERTIFICATE_PATH), or username/password.
Workload Identity — federated tokens on AKS via AZURE_FEDERATED_TOKEN_FILE. See Workload Identity for AKS.
Managed Identity — system-assigned or user-assigned identities on Azure VMs, AKS, Container Apps, and ACI. See Managed identities for Azure resources.
Azure CLI — cached credentials from a local az login session.
Azure Developer CLI / Azure PowerShell — used when the corresponding CLI is signed in.

For a deployment-side overview of these mechanisms, see the Authentication section of the Azure deployment guide.

Role Assignments

Each principal must have the appropriate Azure RBAC role for the services it accesses:

Service	Common role(s)
Azure Blob Storage / ADLS Gen2	`Storage Blob Data Reader` or `Storage Blob Data Contributor`
Azure Key Vault	`Key Vault Secrets User` (data plane) or RBAC equivalent
Azure SQL Database	Database-level role assignments granted to the Entra principal
Azure OpenAI	`Cognitive Services OpenAI User`
Azure Container Registry	`AcrPull` for image pulls

When a Spicepod connects to multiple Azure services, ensure roles are granted on every resource the runtime touches.

Cookbooks

Azure OpenAI Models — vector search and chat over structured and unstructured data with Azure OpenAI.

Data Connectors​

Example: Azure Blob Storage (ABFS)​

Example: Azure SQL Database​

Example: Azure Databricks​

Catalog Connectors​

Example: Unity Catalog with Azure Blob​

AI Models (Azure OpenAI)​

Example: Azure OpenAI Chat Model​

Secret Stores​

Example: Azure Key Vault Secret Store​

Embeddings (Azure OpenAI)​

Example: Azure OpenAI Embeddings​

Authentication​

Role Assignments​

Cookbooks​