Spice.ai integrates with Microsoft Azure for data federation, AI inference, embeddings, and authentication. This page consolidates Azure-compatible components and links to the relevant configuration guides.
Data connectors federate SQL queries across Azure data sources without data movement.
| Connector | Description | Documentation |
|---|---|---|
| Azure Blob Storage / ADLS Gen2 | Query Parquet, CSV, and JSON files in Azure Blob Storage or ADLS Gen2 using the abfs:// scheme. | ABFS Data Connector |
| Azure SQL Database / SQL Server | Connect to Azure SQL Database, Azure SQL Managed Instance, and SQL Server VMs. | MSSQL Data Connector |
| Azure Database for PostgreSQL | Connect to flexible server and single server deployments using the PostgreSQL connector. | PostgreSQL Data Connector |
| Azure Database for MySQL | Connect to flexible server deployments using the MySQL connector. | MySQL Data Connector |
| Azure Databricks | Query Databricks tables on Azure using SQL Warehouse or Spark Connect. | Databricks Data Connector |
| Apache Iceberg (ADLS) | Query Iceberg tables stored in ADLS Gen2 with REST or Unity Catalog metadata. | Iceberg Data Connector |
| Delta Lake (ADLS) | Query Delta Lake tables stored in ADLS Gen2 or Azure Blob Storage. | Delta Lake Data Connector |
| Microsoft SharePoint | Index and query documents from SharePoint sites and OneDrive for Business with Microsoft Entra ID authentication. | SharePoint Data Connector |
| Azure-hosted databases via ODBC | Connect through ODBC drivers for additional Azure-compatible data sources. | ODBC Data Connector |
Catalog connectors provide schema discovery and unified access to tables in Azure data catalogs.
| Connector | Description | Documentation |
|---|---|---|
| Databricks Unity Catalog | Discover and query tables governed by Unity Catalog on Azure Databricks. Supports Azure Blob authentication for table data. | Unity Catalog |
| Databricks Catalog | Connect to Azure Databricks as a catalog source for federated queries. | Databricks Catalog |
Spice integrates with Azure OpenAI Service for chat completion and reasoning models, including GPT-4 family, GPT-5, and o-series models.
| Provider | Supported Models | Documentation |
|---|---|---|
| Azure OpenAI | GPT-4, GPT-4o, GPT-5, o-series, and other deployments. | Azure OpenAI Models |
For Microsoft Entra ID authentication instead of an API key, set azure_entra_token in place of azure_api_key.
Spice resolves secrets at runtime from configured secret stores. For Azure deployments, the azure_keyvault store reads secrets directly from Azure Key Vault, so Spicepods can reference connector and model credentials without baking them into environment variables or values.yaml.
| Provider | Supported Auth Methods | Documentation |
|---|---|---|
| Azure Key Vault | service_principal, managed_identity, workload_identity, cli, default. | Azure Key Vault Secret Store |
Logical key names use underscores; the store automatically translates them to Key Vault names like spice-postgres-user (with a fallback to postgres-user). Pair azure_keyvault with AKS workload identity or a Container Apps managed identity so the runtime authenticates without long-lived credentials.
Generate vector embeddings using Azure OpenAI deployments for semantic search and retrieval-augmented generation (RAG).
| Provider | Supported Models | Documentation |
|---|---|---|
| Azure OpenAI | text-embedding-3-small, text-embedding-3-large, text-embedding-ada-002. | Azure OpenAI Embeddings |
Refer to the Azure OpenAI Service models for the full list of supported models and regions.
All Azure integrations support the standard Azure Identity DefaultAzureCredential chain. When credentials are not explicitly configured, Spice attempts the following in order:
AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET), certificate (AZURE_CLIENT_CERTIFICATE_PATH), or username/password.AZURE_FEDERATED_TOKEN_FILE. See Workload Identity for AKS.az login session.For a deployment-side overview of these mechanisms, see the Authentication section of the Azure deployment guide.
Each principal must have the appropriate Azure RBAC role for the services it accesses:
| Service | Common role(s) |
|---|---|
| Azure Blob Storage / ADLS Gen2 | Storage Blob Data Reader or Storage Blob Data Contributor |
| Azure Key Vault | Key Vault Secrets User (data plane) or RBAC equivalent |
| Azure SQL Database | Database-level role assignments granted to the Entra principal |
| Azure OpenAI | Cognitive Services OpenAI User |
| Azure Container Registry | AcrPull for image pulls |
When a Spicepod connects to multiple Azure services, ensure roles are granted on every resource the runtime touches.