A Prometheus exporter for Azure Storage Queue metrics. Scrapes message count and message age from all queues across configured Azure Storage Accounts and exposes them as Prometheus metrics.
| Metric | Type | Labels | Description |
|---|---|---|---|
azure_queue_message_count | Gauge | storage_account, queue_name | Number of messages in the queue |
azure_queue_message_time_in_queue | Gauge | storage_account, queue_name | Age of the oldest message in seconds |
Two authentication methods are supported and can be mixed — some storage accounts can use keys while others use identity-based auth.
Set environment variables with the STORAGE_ACCOUNT_ prefix:
export STORAGE_ACCOUNT_mystorageaccount=<base64-encoded-key>The variable name suffix is the storage account name, and the value is the account key.
Set the environment variable with an empty value:
export STORAGE_ACCOUNT_mystorageaccount=An empty value tells the exporter to use DefaultAzureCredential, which automatically chains through:
- Environment credentials (
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID) - Workload Identity (in AKS with workload identity configured)
- Managed Identity
- Azure CLI (
az login)
When using identity-based auth, the identity needs the following role:
| Role | Scope | Purpose |
|---|---|---|
Storage Queue Data Reader | Storage Account or Subscription | Read queue metadata and peek messages |
This is the only role assignment required. It covers all data plane operations the exporter performs: listing queues, reading queue properties (message count), and peeking messages (message age).
Example role assignment:
az role assignment create \ --assignee <principal-id> \ --role "Storage Queue Data Reader" \ --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<account>| Flag | Default | Description |
|---|---|---|
-collection.interval | 5s | Metric collection interval |
-web.listen-address | :9874 | Address to listen on |
-web.telemetry-path | /metrics | Path for metrics endpoint |
-log.level | warn | Log level: debug, info, warn, error, fatal |
-log.format | text | Log format: text, json |
A .env file in the working directory is auto-loaded for local development.
# With storage account key STORAGE_ACCOUNT_mystorageaccount=<key> go run . -log.level=debug # With Azure CLI credentials az login STORAGE_ACCOUNT_mystorageaccount= go run . -log.level=debugdocker build -t azure-storage-queue-exporter . docker run -e STORAGE_ACCOUNT_mystorageaccount=<key> azure-storage-queue-exporterMulti-arch images (amd64/arm64) are published to ghcr.io/youscan/azure-storage-queue-exporter.
helm repo add azure-storage-queue-exporter https://youscan.github.io/azure_storage_queue_exporter helm install azure-storage-queue-exporter azure-storage-queue-exporter/azure-storage-queue-exporterconfig: storageAccountCredentials: - name: mystorageaccount key: <storage-account-key> - name: anotherstorageaccount key: <storage-account-key>config: storageAccountCredentials: - name: mystorageaccount # no key = use DefaultAzureCredential - name: anotherstorageaccount workloadIdentity: enabled: true clientId: "00000000-0000-0000-0000-000000000000"This creates a Kubernetes ServiceAccount with the azure.workload.identity/client-id annotation and adds the azure.workload.identity/use: "true" label to the pod.
Key-based and identity-based accounts can coexist:
config: storageAccountCredentials: - name: legacyaccount key: <storage-account-key> - name: modernaccount # uses DefaultAzureCredential workloadIdentity: enabled: true clientId: "00000000-0000-0000-0000-000000000000"| Path | Description |
|---|---|
/healthz | Liveness probe — returns 200 when HTTP server is up |
/readyz | Readiness probe — returns 200 after first successful collection |