Azure Blob Storage Setup

Store RabbitMQ backups in Azure Blob Storage. rabbitmq-backup supports multiple authentication methods: account key, service principal, workload identity (AKS), and SAS tokens.

Step 1: Create a Storage Account and Container

# Create a resource group
az group create --name rg-rabbitmq-backup --location eastus

# Create a storage account
az storage account create \
  --name rabbitmqbackupstorage \
  --resource-group rg-rabbitmq-backup \
  --location eastus \
  --sku Standard_LRS \
  --kind StorageV2

# Create a blob container
az storage container create \
  --name rabbitmq-backups \
  --account-name rabbitmqbackupstorage

Optional: Enable Soft Delete

az storage blob service-properties delete-policy update \
  --account-name rabbitmqbackupstorage \
  --enable true \
  --days-retained 30

Step 2: Choose an Authentication Method

Option A: Account Key

The simplest method, suitable for development and non-AKS environments.

# Get the account key
az storage account keys list \
  --account-name rabbitmqbackupstorage \
  --resource-group rg-rabbitmq-backup \
  --query '[0].value' -o tsv

backup-azure.yaml
storage:
  backend: azure
  account_name: rabbitmqbackupstorage
  container_name: rabbitmq-backups
  account_key: "your-account-key-here"
  prefix: prod/

Or pass it via environment variable:

export AZURE_STORAGE_KEY="your-account-key-here"
rabbitmq-backup backup --config backup-azure.yaml

Option B: Service Principal (Client Secret)

Create an Azure AD application and grant it access to the storage account.

# Create a service principal
az ad sp create-for-rbac --name rabbitmq-backup-sp

# Assign Storage Blob Data Contributor role
az role assignment create \
  --assignee <app-id> \
  --role "Storage Blob Data Contributor" \
  --scope /subscriptions/<sub-id>/resourceGroups/rg-rabbitmq-backup/providers/Microsoft.Storage/storageAccounts/rabbitmqbackupstorage

backup-azure-sp.yaml
storage:
  backend: azure
  account_name: rabbitmqbackupstorage
  container_name: rabbitmq-backups
  client_id: "your-client-id"
  tenant_id: "your-tenant-id"
  client_secret: "your-client-secret"
  prefix: prod/

Or set via environment variables:

export AZURE_CLIENT_ID="your-client-id"
export AZURE_TENANT_ID="your-tenant-id"
export AZURE_CLIENT_SECRET="your-client-secret"

Option C: Workload Identity (AKS)

For AKS clusters with Workload Identity enabled, no credentials need to be stored.

backup-azure-wi.yaml
storage:
  backend: azure
  account_name: rabbitmqbackupstorage
  container_name: rabbitmq-backups
  use_workload_identity: true
  client_id: "your-managed-identity-client-id"
  tenant_id: "your-tenant-id"
  prefix: prod/

The tool detects workload identity automatically when the AZURE_FEDERATED_TOKEN_FILE environment variable is present (injected by AKS).

Option D: SAS Token

Generate a time-limited SAS token for scoped access:

az storage container generate-sas \
  --account-name rabbitmqbackupstorage \
  --name rabbitmq-backups \
  --permissions rwdl \
  --expiry $(date -u -d "+24 hours" +%Y-%m-%dT%H:%MZ) \
  --output tsv

backup-azure-sas.yaml
storage:
  backend: azure
  account_name: rabbitmqbackupstorage
  container_name: rabbitmq-backups
  sas_token: "sv=2022-11-02&ss=b&srt=co&sp=rwdlac&se=..."
  prefix: prod/

Or via environment variable:

export AZURE_STORAGE_SAS_TOKEN="sv=2022-11-02&ss=b&..."

Step 3: Configure rabbitmq-backup

Complete configuration example using account key authentication:

backup-azure-full.yaml
mode: backup
backup_id: "azure-backup-001"

source:
  amqp_url: "amqp://backup_user:password@rabbitmq.example.com:5672/%2f"
  management_url: "http://rabbitmq.example.com:15672"
  management_username: backup_user
  management_password: password
  queues:
    include:
      - "*"

storage:
  backend: azure
  account_name: rabbitmqbackupstorage
  container_name: rabbitmq-backups
  prefix: prod/

backup:
  compression: zstd
  include_definitions: true

Azure Blob Configuration Reference

Field	Required	Default	Description
`backend`	Yes	--	Must be `azure`
`account_name`	Yes	--	Azure storage account name
`container_name`	Yes	--	Blob container name
`account_key`	No	`AZURE_STORAGE_KEY` env	Storage account key
`client_id`	No	`AZURE_CLIENT_ID` env	Azure AD client ID
`tenant_id`	No	`AZURE_TENANT_ID` env	Azure AD tenant ID
`client_secret`	No	`AZURE_CLIENT_SECRET` env	Client secret for service principal
`sas_token`	No	`AZURE_STORAGE_SAS_TOKEN` env	Shared access signature token
`use_workload_identity`	No	`false`	Enable AKS workload identity auth
`prefix`	No	None	Key prefix for all blobs
`endpoint`	No	Azure public	Custom endpoint for sovereign clouds

Verify the Setup

rabbitmq-backup backup --config backup-azure.yaml
rabbitmq-backup list --path "azure://rabbitmqbackupstorage.blob.core.windows.net/rabbitmq-backups"

List blobs directly:

az storage blob list \
  --account-name rabbitmqbackupstorage \
  --container-name rabbitmq-backups \
  --prefix prod/ \
  --output table

Step 1: Create a Storage Account and Container​

Optional: Enable Soft Delete​

Step 2: Choose an Authentication Method​

Option A: Account Key​

Option B: Service Principal (Client Secret)​

Option C: Workload Identity (AKS)​

Option D: SAS Token​

Step 3: Configure rabbitmq-backup​

Azure Blob Configuration Reference​

Verify the Setup​