Downloads objects from Azure blob storage

Chris Zembower



211 latest version

5.0 quality score

Version information

  • 0.1.8 (latest)
  • 0.1.5
  • 0.1.4
  • 0.1.3
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Feb 25th 2021
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
  • Puppet >= 6 < 7.4.0
  • CentOS

Start using this module


czembower/blob — version 0.1.8 Feb 25th 2021


Table of Contents

  1. Description
  2. Usage
  3. Limitations


A simple Puppet module that downloads objects from Azure blob storage, using the Client ID parameter associated with a User-Assigned Managed Identity as the authentication mechanism.

Optionally, the downloaded object can be unzipped, and permissions of the object and/or unzipped files can be managed by specifying the 'mode' parameter.

Also included are two custom facts:

  • az_meta - full output from the Azure Metadata Service at the '/metadata/instance' endpoint
  • client_id - the value of the 'clientId' tag, if it exists.


blob { '/tmp/':
  ensure    => present,
  account   => 'myBlobStorageAccountName',
  client_id => 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
  blob_path => 'myStorageContainer/',
  mode      => '0644',
  unzip     => true,
  creates   => '/tmp/myBlob'

Optionally, the client_id parameter can be sourced from an included custom fact that reads the client_id from an Azure tag named "clientId" if it exists:

blob { '/tmp/myBlob.txt':
  ensure    => present,
  account   => 'myBlobStorageAccountName',
  client_id => $::client_id,
  blob_path => 'myStorageContainer/myBlob.txt',

This method facilitates integration with infrastructure-as-code tools (e.g. Terraform) such that a compute resource, managed identity, and access controls can all be defined programatically, without commiting sensitive data to your repository.


  • ensure: Whether object should be present/absent on the local filesystem (default: present)
  • path: [string] Where to store the object on the local system (optional - implied by resource name)
  • account: [string] Azure Storage Account name (required)
  • client_id: [string] The Client ID of the associated user-assigned managed identity (required)
  • blob_path: [string] Path to the object in the form of [container]/[path]/[to]/[object] (required)
  • mode: [string] Permissions that should be applied to the file after downloading (optional - default: 0644)
  • unzip: [bool] Whether to unzip downloaded Blob object (optional - default: false)
  • creates: [string] File object created by the unzip process - controls mode/presence of extracted data, and will additionally purge the original zip archive after extraction (optional - default: undef)


This module currently only supports User-Assigned Managed Identity as the authentication mechanism. This requires the Puppet client system to be a machine running within the Azure environment with appropriately scoped access permission. Alternate methods require sensitive credentials to be present in the manifest. In contrast, the 'client ID' method is bound to a verified identity and therefore carries a considerably lower risk factor.