feat(cubestore): Add Azure Blob Storage support for remote filesystem

docs-mintlify/cube-core/running-in-production.mdx

@@ -310,6 +310,17 @@ default.
 
 </Warning>
 
+### Azure
+
+Cube Store supports Azure Blob Storage for persistent storage using account
+keys, SAS tokens, or federated token credentials (workload identity, managed
+identity).
+
+When `CUBESTORE_AZURE_ACCESS_KEY` and `CUBESTORE_AZURE_SAS_TOKEN` are not set,
+Cube Store automatically uses federated token credentials via the standard
+`AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_FEDERATED_TOKEN_FILE`
+environment variables.
+
 ### Garbage collection
 
 Cleanup isn’t done in export buckets; however, it's done in the persistent

docs-mintlify/docs/pre-aggregations/running-in-production.mdx

@@ -310,9 +310,20 @@ default.
 
 </Warning>
 
+### Azure
+
+Cube Store supports Azure Blob Storage for persistent storage using account
+keys, SAS tokens, or federated token credentials (workload identity, managed
+identity).
+
+When `CUBESTORE_AZURE_ACCESS_KEY` and `CUBESTORE_AZURE_SAS_TOKEN` are not set,
+Cube Store automatically uses federated token credentials via the standard
+`AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_FEDERATED_TOKEN_FILE`
+environment variables.
+
 ### Garbage collection
 
-Cleanup isn’t done in export buckets; however, it's done in the persistent
+Cleanup isn’t done in export buckets; however, it’s done in the persistent
 storage of Cube Store. The default time-to-live (TTL) for orphaned
 pre-aggregation tables is one day.
 

docs-mintlify/reference/configuration/environment-variables.mdx

@@ -1532,6 +1532,63 @@ Required when using an AWS instance role.
 | ------------------------- | ---------------------- | --------------------- |
 | A valid number in minutes | `180`                  | `180`                 |
 
+## `CUBESTORE_AZURE_ACCESS_KEY`
+
+The access key for the Azure Storage account. Optional when using Azure Blob
+Storage. If not set, falls back to SAS token authentication or
+federated token credentials.
+
+| Possible Values                   | Default in Development | Default in Production |
+| --------------------------------- | ---------------------- | --------------------- |
+| A valid Azure Storage account key | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_ACCOUNT`
+
+The name of the Azure Storage account. Required when
+`CUBESTORE_AZURE_CONTAINER` is set.
+
+| Possible Values                    | Default in Development | Default in Production |
+| ---------------------------------- | ---------------------- | --------------------- |
+| A valid Azure Storage account name | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_CONTAINER`
+
+The name of the Azure Blob Storage container. Required when using Azure Blob
+Storage.
+
+| Possible Values             | Default in Development | Default in Production |
+| --------------------------- | ---------------------- | --------------------- |
+| A valid blob container name | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_ENDPOINT`
+
+A custom endpoint URL for Azure Blob Storage. Optional. Use this for local
+development with [Azurite](https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azurite)
+or for sovereign cloud endpoints.
+
+| Possible Values | Default in Development | Default in Production |
+| --------------- | ---------------------- | --------------------- |
+| A valid URL     | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_SAS_TOKEN`
+
+A shared access signature (SAS) token for Azure Blob Storage. Optional. Used
+when `CUBESTORE_AZURE_ACCESS_KEY` is not set. If neither the access key nor
+SAS token is set, federated token credentials are used.
+
+| Possible Values   | Default in Development | Default in Production |
+| ----------------- | ---------------------- | --------------------- |
+| A valid SAS token | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_SUB_PATH`
+
+The path prefix within the Azure Blob Storage container to store
+pre-aggregations. Optional.
+
+| Possible Values     | Default in Development | Default in Production |
+| ------------------- | ---------------------- | --------------------- |
+| A valid path prefix | N/A                    | N/A                   |
+
 ## `CUBESTORE_BIND_ADDR`
 
 The address/port pair for Cube Store's MySQL-compatible interface.

docs/content/product/caching/running-in-production.mdx

@@ -280,8 +280,36 @@ services:
       - cubestore_router
 ```
 
+A simplified example using Azure Blob Storage might look like:
+
+```yaml
+services:
+  cubestore_router:
+    image: cubejs/cubestore:latest
+    environment:
+      - CUBESTORE_SERVER_NAME=cubestore_router:9999
+      - CUBESTORE_META_PORT=9999
+      - CUBESTORE_WORKERS=cubestore_worker_1:9001
+      - CUBESTORE_AZURE_CONTAINER=<CONTAINER_NAME>
+      - CUBESTORE_AZURE_ACCOUNT=<STORAGE_ACCOUNT_NAME>
+      - CUBESTORE_AZURE_ACCESS_KEY=<STORAGE_ACCOUNT_KEY>
+
+  cubestore_worker_1:
+    image: cubejs/cubestore:latest
+    environment:
+      - CUBESTORE_SERVER_NAME=cubestore_worker_1:9001
+      - CUBESTORE_WORKER_PORT=9001
+      - CUBESTORE_META_ADDR=cubestore_router:9999
+      - CUBESTORE_WORKERS=cubestore_worker_1:9001
+      - CUBESTORE_AZURE_CONTAINER=<CONTAINER_NAME>
+      - CUBESTORE_AZURE_ACCOUNT=<STORAGE_ACCOUNT_NAME>
+      - CUBESTORE_AZURE_ACCESS_KEY=<STORAGE_ACCOUNT_KEY>
+    depends_on:
+      - cubestore_router
+```
+
 Note that you can’t use the same bucket as an export bucket and persistent
-storage for Cube Store. It's recommended to use two separate buckets. 
+storage for Cube Store. It’s recommended to use two separate buckets.
 
 ### Scratch storage
 
@@ -309,6 +337,17 @@ default.
 
 </WarningBox>
 
+### Azure
+
+Cube Store supports Azure Blob Storage for persistent storage using account
+keys, SAS tokens, or DefaultAzureCredential (workload identity, managed
+identity, Azure CLI).
+
+When `CUBESTORE_AZURE_ACCESS_KEY` and `CUBESTORE_AZURE_SAS_TOKEN` are not set,
+Cube Store automatically uses DefaultAzureCredential, which supports workload
+identity in Kubernetes via the standard `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`,
+and `AZURE_FEDERATED_TOKEN_FILE` environment variables.
+
 ### Garbage collection
 
 Cleanup isn’t done in export buckets; however, it's done in the persistent

docs/content/product/configuration/reference/environment-variables.mdx

@@ -1529,6 +1529,63 @@ Required when using an AWS instance role.
 | ------------------------- | ---------------------- | --------------------- |
 | A valid number in minutes | `180`                  | `180`                 |
 
+## `CUBESTORE_AZURE_ACCESS_KEY`
+
+The access key for the Azure Storage account. Optional when using Azure Blob
+Storage. If not set, falls back to SAS token authentication or
+DefaultAzureCredential.
+
+| Possible Values                   | Default in Development | Default in Production |
+| --------------------------------- | ---------------------- | --------------------- |
+| A valid Azure Storage account key | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_ACCOUNT`
+
+The name of the Azure Storage account. Required when
+`CUBESTORE_AZURE_CONTAINER` is set.
+
+| Possible Values                    | Default in Development | Default in Production |
+| ---------------------------------- | ---------------------- | --------------------- |
+| A valid Azure Storage account name | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_CONTAINER`
+
+The name of the Azure Blob Storage container. Required when using Azure Blob
+Storage.
+
+| Possible Values             | Default in Development | Default in Production |
+| --------------------------- | ---------------------- | --------------------- |
+| A valid blob container name | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_ENDPOINT`
+
+A custom endpoint URL for Azure Blob Storage. Optional. Use this for local
+development with [Azurite](https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azurite)
+or for sovereign cloud endpoints.
+
+| Possible Values | Default in Development | Default in Production |
+| --------------- | ---------------------- | --------------------- |
+| A valid URL     | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_SAS_TOKEN`
+
+A shared access signature (SAS) token for Azure Blob Storage. Optional. Used
+when `CUBESTORE_AZURE_ACCESS_KEY` is not set. If neither the access key nor
+SAS token is set, DefaultAzureCredential is used.
+
+| Possible Values   | Default in Development | Default in Production |
+| ----------------- | ---------------------- | --------------------- |
+| A valid SAS token | N/A                    | N/A                   |
+
+## `CUBESTORE_AZURE_SUB_PATH`
+
+The path prefix within the Azure Blob Storage container to store
+pre-aggregations. Optional.
+
+| Possible Values     | Default in Development | Default in Production |
+| ------------------- | ---------------------- | --------------------- |
+| A valid path prefix | N/A                    | N/A                   |
+
 ## `CUBESTORE_BIND_ADDR`
 
 The address/port pair for Cube Store's MySQL-compatible interface.

rust/cubestore/cubestore/Cargo.toml

@@ -107,7 +107,7 @@ humansize = "2.1.3"
 deepsize = "0.2.0"
 anyhow = "1.0"
 arc-swap = "1.7.1"
-object_store = "0.11.1"
+object_store = { version = "0.11.1", features = ["azure"] }
 prost = "0.13.1"
 
 [target.'cfg(target_os = "linux")'.dependencies]

rust/cubestore/cubestore/src/config/mod.rs

@@ -24,6 +24,7 @@ use crate::mysql::{MySqlServer, SqlAuthDefaultImpl, SqlAuthService};
 use crate::queryplanner::metadata_cache::BasicMetadataCacheFactory;
 use crate::queryplanner::query_executor::{QueryExecutor, QueryExecutorImpl};
 use crate::queryplanner::{QueryPlanner, QueryPlannerImpl};
+use crate::remotefs::azure_blob::AzureBlobRemoteFs;
 use crate::remotefs::cleanup::RemoteFsCleanup;
 use crate::remotefs::gcs::GCSRemoteFs;
 use crate::remotefs::minio::MINIORemoteFs;
@@ -319,6 +320,7 @@ pub fn validate_config(c: &dyn ConfigObj) -> ValidationMessages {
         "CUBESTORE_MINIO_BUCKET",
         "CUBESTORE_S3_BUCKET",
         "CUBESTORE_GCS_BUCKET",
+        "CUBESTORE_AZURE_CONTAINER",
         "CUBESTORE_REMOTE_DIR",
     ];
     remote_vars.retain(|v| env::var(v).is_ok());
@@ -352,6 +354,11 @@ pub enum FileStoreProvider {
         bucket_name: String,
         sub_path: Option<String>,
     },
+    AzureBlob {
+        account: String,
+        container: String,
+        sub_path: Option<String>,
+    },
 }
 
 #[derive(Clone)]
@@ -1349,6 +1356,14 @@ impl Config {
                             bucket_name,
                             sub_path: env::var("CUBESTORE_GCS_SUB_PATH").ok(),
                         }
+                    } else if let Ok(container) = env::var("CUBESTORE_AZURE_CONTAINER") {
+                        FileStoreProvider::AzureBlob {
+                            container,
+                            account: env::var("CUBESTORE_AZURE_ACCOUNT").expect(
+                                "CUBESTORE_AZURE_ACCOUNT required when CUBESTORE_AZURE_CONTAINER is set",
+                            ),
+                            sub_path: env::var("CUBESTORE_AZURE_SUB_PATH").ok(),
+                        }
                     } else if let Ok(remote_dir) = env::var("CUBESTORE_REMOTE_DIR") {
                         FileStoreProvider::Filesystem {
                             remote_dir: Some(PathBuf::from(remote_dir)),
@@ -2034,6 +2049,24 @@ impl Config {
                     })
                     .await;
             }
+            FileStoreProvider::AzureBlob {
+                account,
+                container,
+                sub_path,
+            } => {
+                let data_dir = self.config_obj.data_dir.clone();
+                let account = account.to_string();
+                let container = container.to_string();
+                let sub_path = sub_path.clone();
+                self.injector
+                    .register("original_remote_fs", async move |_| {
+                        let arc: Arc<dyn DIService> =
+                            AzureBlobRemoteFs::new(data_dir, account, container, sub_path)
+                                .unwrap();
+                        arc
+                    })
+                    .await;
+            }
             FileStoreProvider::Local => unimplemented!(), // TODO
         };
     }