Skip to main content

Azure Blob Store

PRO

You must create the Azure storage account in Azure before using Nexus Repository to create an Azure blob store. Below are the recommended storage account settings:

  • Location: the location hosting Nexus Repository

  • Performance: Standard general-purpose v2 or Premium block blobs

  • Account kind: StorageV2 if using Standard general-purpose v2 or BlockBlobStorage if using Premium block blobs

  • Replication: Any

Nexus Repository will automatically create an Azure container when a blob store is created if one does not already exist.

Warning

The Azure storage container name must be a valid DNS name that follows the rules Microsoft states in its documentation.

Changing the Blob Store Server

If you need to change the server that is contacted for Azure blob storage from "blob.core.windows.net" to something else, edit the existing <data-dir>/etc/nexus.properties file or set a Java system property as demonstrated below:

nexus.azure.server=<your.desired.blob.storage.server>

You will then need to restart Nexus Repository for the change to take effect.

Accessing the Azure Storage Account

There are three methods of gaining access to the Azure storage account from Nexus Repository:

  1. Use a secret access key supplied by the Azure storage account.

  2. If you're running Nexus Repository on an Azure VM, you can use System Managed Identity access.

  3. Use environment variables.

System Managed Identity Access

System Managed Identity allows Azure to manage the access via roles assigned to the VM in which you are running Nexus Repository. See the Microsoft documentation for details.

To properly use the System Managed Identity, the Azure VM will need the following roles assigned to the Azure storage container:

  • Storage Account Contributor

  • Storage Blob Data Contributor

Nexus Repository does not validate the roles before storing the configuration. When not properly granted to the VM, you must delete the blob store and then re-add it after the roles have been set up in the Azure storage instance.

Environment Variables

There are three environment variables for Azure blob stores:

AZURE_CLIENT_SECRET
AZURE_CLIENT_ID
AZURE_TENANT_ID

Register an Azure AD application and provide access to the blob storage.

Following Microsoft's documentation, complete the following steps:

  1. Create an application

  2. Grant permission to Azure storage

  3. Create a Client Secret

  4. Copy the secret value to use as AZURE_CLIENT_SECRET

  5. Retrieve the environment variables from the app registration overview screen:

    1. Directory (tenant) ID - the value for AZURE_TENANT_ID

    2. Application (client) ID - the value for AZURE_CLIENT_ID

You must then navigate to the storage container and grant the Storage Blob Data Contributor role to the application:

  1. Select Storage Accounts and then the storage account to which you want to grant access.

  2. Select Access Control (IAM); then, add a role assignment.

  3. Select Storage Blob Data Contributor.

  4. Select Next and then Add Member.

  5. Search for your application and add it as a member.

Now, set the environment variables in the terminal before launching Nexus Repository.

Optimizing Performance

For optimum performance, you'll want to take the following steps:

  • Run Nexus Repository on Azure on virtual machines

  • Ensure that the Azure connection is using the location where Nexus Repository is being run

The chunk size when uploading to Azure can be adjusted by setting the property nexus.azure.blocksize in the nexus.properties file (e.g., nexus.azure.blocksize=1000000). By default, this is set to 5242880 bytes (5MB). You can tune this for optimal performance on your network.