Private Data Storage
Use private data storage to configure your workspace to replace the default file store with your cloud storage provider.
Alteryx Analytics Cloud provides file storage as part of the application. You can use the file store in these cases:
Upload a file to use as an input dataset.
Download a file created as a job output.
Store a sample of data generated by a user at design time.
Temporary storage used during some processing jobs.
Private data storage is available for all workspaces in Alteryx Analytics Cloud and you must configure it before you can set up private data processing.
Follow these guides to set up Private Data Storage for 1 of your cloud storage providers:
ADLS as Private Data Storage
Follow this guide to configure your Alteryx Analytics Cloud (AAC) workspace to replace Alteryx Data Storage (ADS) with an instance of Azure Data Lake Storage (ADLS) that you own.
Limitations
Connectivity
No connectivity to external ADLS file-systems outside of the Storage Account used for Private Data Storage.
No connectivity to Amazon Redshift.
ADS isn't accessible while using ADLS as Private Data Storage.
Engine Availability
EMR Spark as an engine isn't supported.
Limited support for long-running jobs over 60 minutes with Photon as an engine. Longer jobs might result in a failed state.
Platform
You can't switch between Private Data Storage options (for example, S3 to ADLS or ADLS to S3).
After the initial release of ADLS as Private Data Storage, you must create a new workspace to enable the storage option.
Prerequisites
For Alteryx Analytics Cloud...
Be a user on an Enterprise AAC plan.
Have a Workspace Admin role assigned to you.
Use ADS as the base storage. The workspace shouldn't be set up with another Private Storage option.
For Azure Data Lake Storage...
Have administrative access to these services:
Azure Portal
Microsoft Entra (Azure AD)
Azure Key Vault
Have administrative access to the file systems and storage account on ADLS.
Users must at least have the Storage Blob Data Contributor role or a similar custom role with these permissions:
Type
Permission
Description
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Delete a Blob.
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Return a Blob or a list of Blobs.
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Write to a Blob.
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
Moves the Blob from 1 path to another.
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Returns the result of adding Blob content.
Actions
Microsoft.Storage/storageAccounts/blobServices/containers/read
Return a container or a list of containers.
Actions
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
Returns a user delegation key for the Blob service.
Step 1: Set Up Single Sign-On (SSO)
Follow this guide to configure SSO for your workspace using Microsoft Entra (Azure AD).
Step 2: Set Up Cloud Authorization
Establish a secure connection between AAC and your ADLS location.
Step 2a: Create an Application on Azure Portal
Sign in to your Azure Portal as an administrator.
Go to the Applications > App Registration page.
Select New Registration.
In the Name field, enter a name for your app. For example, the name of your AAC workspace.
In the Redirect URI dropdown, select
Web
and then enter the Callback URL. Follow this template:https://{platformEnvironment}/workspace/${workspaceName}/sso/azureCallback
. Example:https://us1.alteryx.com/workspace/YOUR-WORKSPACE/sso/azureCallback
Select Register.
Note and copy your Application (Client) ID and Directory (Tenant) ID. You will use these later in Step 2c.
Go to your application’s API Permissions page.
Select Add a permission and then select Microsoft Graph.
Select Delegated permissions.
Check the box next to email, profile, user.read, openid, and offline_access.
Select Add permissions.
Again select Add a permission and then select Azure Storage.
Select Delegated permissions.
Check the box next to user_impersontation.
Select Add permissions.
Go to your application's Certificates & secrets page. and then select the Client secrets tab.
Select New client secret.
In the Description field, enter a description of your app. For example, the name of your AAC workspace.
Set Expires to an appropriate value and then select Save.
Note and copy the secret Value. You will use this later in Step 2b.
Go to the Federated Credentials tab. and then select Add credential.
From the Federated credential scenario dropdown, select Other issuer.
In the Issuer field, enter
https://accounts.google.com
.In the Subject Identifier field, enter 1 of these options based on your AAC enironment location:
US1:
115363405640771453608
EU1:
103517307997047250975
AU1:
106202870273509843893
In the Name field, enter
AccessFromAlteryx
.Select Save.
Step 2b: Configure a Key Vault on Azure Portal
Go to the Key Vaults page on your Azure Portal.
Select Create.
Under the Basics tab, select appropriate values for Subscription and Resource Group per your organization's requirements.
In the Key valut name field, enter a name for your key vault. For example, the name of your AAC workspace.
Select Next to go to the Access configurations tab.
Set the Permissions model to Vault access policy and then select Create under Access policies. A Create an access policy dialog appears.
In the access policy dialog under the Permissions tab, check all Secret permissions boxes.
Select Next to go to the Principal tab.
On the Principals tab, search for the app you created previously in Step 2a. Once you've located the app, select it and then select Next.
On the next Application tab, no action is needed. Select Next to continue.
On the Review + create tab, select Create. This action closes the access policy dialog and creates a new Access Policy for your application.
Return to the Create key vault dialog for your app. Select Review + Create and then select Create. This action initiates the deployment of your key vault.
Once the deployment completes, under Next Steps, select Go to resource. This action takes you to the Key Vault Overview page.
On the Key Vault Overview page, go to Secrets and then select Generate/Import to assign a secret.
In the Name field, enter a name for your secret. For example, the name of your AAC workspace.
In the Secret field, enter your app's secret Value you copied previously in Step 2a.
Select Create and then copy the Key Vault Secret Name. You will use this later in Step 2c.
Go to Overview and then copy the Vault URI. You will use this later in Step 2c.
Step 2c: Configure Cloud Authorization on AAC
Return to your AAC workspace.
Go to Profile menu > Workspace Admin > Private Data Handling > Cloud Authorization and then select Microsoft Azure.
Important
AAC requires SSO before proceeding. If you haven't set up SSO for this workspace, follow this guide.
Enter the Azure AD Tenant ID you copied in Step 2a after creating an app on the Azure Portal.
Enter the Azure AD Client ID you copied in Step 2a after creating an app on the Azure Portal.
Enter the Azure AD Client Secret Name you copied in Step 2b after creating a key vault on the Azure Portal.
Enter the Azure Key Vault URL you copied in Step 2b after creating a key vault on the Azure Portal.
Select Save.
Step 3: Set Up ADLS as Private Data Storage
Follow these steps to set ADLS as the Private Data Storage location in your AAC workspace.
Within your AAC workspace, go to Profile menu > Workspace Admin > Private Data Handling > Storage and then select Azure Data Lake Storage (ADLS).
In the Account Name, enter your ADLS Storage Account name.
In the Default Root Filesystem field, enter the default container for users. Note that users can override the default location in Profile menu > Preferences > Storage.
To validate your credentials, select Save. If valid, a pop-up window appears to confirm the configuration of ADLS as Private Data Storage. Follow the on-screen instructions.
ADLS as Private Data Storage is now complete. For users to access the storage, ensure users have access to ADLS and have at least a Storage Blob Data Contributor role or similar in Azure.
To access your ADLS data, go to the Data page and select Azure Data Lake Storage from the left pane. You can also access your data in your Designer Cloud workflows.
AWS as Private Data Storage
Follow this guide to configure your Alteryx Analytics Cloud (AAC) workspace to replace Alteryx Data Storage (ADS) with an instance of Amazon Web Services (AWS) S3 that you own.
Note
Private data handling requires the use of AWS S3 as the default storage layer and is incompatible with the default storage provided by Alteryx. You should set up private data storage soon after creating your workspace and before users start to create datasets. Any datasets created before configuring private data storage will be inaccessible after completing the configuration. For more information, please contact Alteryx Support.
Step 1: Check Status of Private Data Storage
Sign in to your workspace as a workspace administrator.
From your Profile menu, select Admin Console.
From the left navigation panel, select Private Data Handling.
If you see “Successfully Configured” under the Private Data Storage heading, you can proceed to step 3.
![]() |
If you see “No Configuration” under the Private Data Storage heading, continue to Step 2.
![]() |
Step 2: Configure Private Data Storage
Note
You need the appropriate permissions and access to the AWS Console in order to complete this step. If you don’t have this access, you might need assistance from your IT team to complete this step.
From the Private Data Handling page, select the Configure AWS S3 Account link.
From this screen, select Configure AWS account.
Follow the step-by-step instructions. Alteryx Analytics Cloud needs read and write permissions to your S3 bucket in order to use it for workspace storage. You can choose to provide these permissions with an IAM role or IAM user.
You might want to consider provisioning this S3 bucket in the same region as other data sources your company runs in the cloud. This improves performance and reduces egress costs.
If you choose to use a cross-account role, you need to provide the name of your S3 bucket, create a new policy, create an IAM role that Alteryx Analytics CloudAlteryx Analytics Cloud will use, and attach the policy to the role.
You’ll then provide the ARN of the role you just created.
If you choose to use access keys, you need to provide the name of your S3 bucket, the access key, and the secret key.
Whether you choose to use roles or access keys, you also have the opportunity to specify additional S3 buckets. Finally, if you've enabled server-side encryption on your S3 bucket, you can select the encryption type you want to use. Private data storage supports both SSE-S3
and SSE-KMS
encryption methods. If you are using SSE-KMS
, you need to provide the AWS KMS key ID.
When you’re done, select Save.
Step 3: Workspace Settings
Set your private data storage as the default workspace storage and disable the Alteryx-provided base storage option.
Sign in to your workspace as a workspace administrator.
From your Profile menu, select Admin Console.
In the Admin Console, select Settings.
In the General section, set theAlteryx Data Storage (ADS)option to Disabled.
In the Connectivity section, set the Enable S3 Connectivity option to Default(Enabled) or Enabled.
In the Publishing section, set the Default Storage Environment option to s3.
Step 4: Verify
Validate that everything works properly.
From the top navigation bar, select Data.
Select Import Data.
Select Upload on the left navigation panel.
Upload a CSV file from your computer.
This successfully verifies write access to your private data storage. You can verify read access by using your uploaded dataset in a workflow.
Now your workspace is ready to use private data storage. You can move on to setting up your AWS Account and then configuring private data processing.
GCS as Private Data Storage
Follow this guide to configure your Alteryx Analytics Cloud (AAC) workspace to replace Alteryx Data Storage (ADS) with an instance of Google Cloud Storage (GCS) that you own.
Note
In the future, organizations that want to apply their own authentication security policies to individual workspaces can enable Single-Sign On on a workspace-by-workspace basis. Currently, Google Service Accounts provisions Google Cloud Storage as Alteryx Private Data Storage in Workspace Mode. Workspace Mode enables all users access to all the data assets they create, maintain, and use on the AACworkspace. Users can change the default upload and output paths for all data assets they work with in the Default Bucket. This enables all users on the workspace to access GCP storage and execute credential passthrough to other compatible connections.
Limitations
Connectivity
No connectivity to Amazon Redshift.
Workspaces provisioned with Google Cloud Storage as Private Date Storage don't support Snowflake Connections or Google Cloud Storage External Connections.
For Google Cloud Platform (GCP), AAC only allows 1 GCP project per workspace with pushdown to the same Big Query connection (with the same project and service account).
Engine Availability
Workspaces provisioned with Google Cloud Storage as Private Date Storage don't support EMR Spark as an engine or re-sampling capabilities.
Alteryx engines don't support job runtimes greater than 1 hour.
Platform
Once you set up Google Cloud Storage, you can't switch between Private Data Storage options (for example, GCS to S3).
Workspaces provisioned with Google Cloud Storage as Private Date Storage don't support Machine Learning.
Prerequisites
Be a user on a Professional or Enterprise AAC plan.
Have a Workspace Admin role assigned to you in AAC.
Have administrative access to the target Google Cloud Platform project.
Google Cloud Storage on AAC Setup Guide
Establish a secure connection between AAC and your Google Cloud Storage location.
Step 1: Create a Google Service Account Key
Service Account Keys authenticate applications, scripts, or services with Google APIs. To create a key, follow these steps:
Go to the Google Cloud Console and then sign in with your Google account.
If you have an existing project, select the project where you want to create the Service Account Key. If you don't have a project, create a project now.
Note and copy the project name. You will use this later in Step 2.
On the left pane, select IAM & Admin and then select Service Accounts.
Select Create Service Account.
Enter Service Account Details:
Enter a name for your service account.
[Optional] Enter a description. For example, the name of your AAC workspace.
Choose a role for the service account. For example Project > Editor or specific API roles depending on your needs. Note that AAC requires these permissions:
bigquery.datasets.get
bigquery.routines.list
bigquery.tables.updateData
bigquery.datasets.getIamPolicy
bigquery.tables.create
resourcemanager.projects.get
bigquery.jobs.create
bigquery.tables.createSnapshot
storage.buckets.get
bigquery.models.export
bigquery.tables.export
storage.buckets.list
bigquery.models.getData
bigquery.tables.get
storage.objects.create
bigquery.models.getMetadata
bigquery.tables.getData
storage.objects.delete
bigquery.models.list
bigquery.tables.getIamPolicy
storage.objects.get
bigquery.routines.get
bigquery.tables.list
storage.objects.list
Select Continue.
In the Keys section, select Create Key and then select the JSON key type.
Select the JSON key type and then select Create. The private key automatically generates and downloads to your computer. You will use this key later in Step 2.
Caution
Keep the JSON key file secure as it provides access to your service account.
Step 2: Set Up Google Cloud Storage as Private Data Storage
Sign in to your AAC workspace.
Go to Profile menu > Account Management > Private Data Handling > Storage and then select Google Cloud Storage.
Under Service Account Key, copy and paste the entire JSON key you created previously in Step 2.
Under Default Bucket, enter the project name you copied previously in Step 2.
[Optional] Enter a Project ID. Note that this overrides the project ID from the service account key.
Select Save to provision your AAC workspace with Google Cloud Storage as Private Data Storage.
Note
AAC automatically creates a default path when a user signs in to a workspace for the first time after Google Cloud Storage has been set up as the base storage.
Change Upload and Output Directory Locations
Users can update their workspace preferences to a target Output and Upload location in the provisioned Default Bucket. To change location preferences, follow these steps:
Sign in to your AAC workspace.
Go to Profile Menu > Preferences > Storage.
Select Edit next to the Output or Upload directory. You can also create new directories within the Default Bucket.
Note
By default, the upload directory is
gs://${defaultBucket}/${workspaceId}/${personId}/uploads
and the output directory isgs://${defaultBucket}/${workspaceId}/${personId}/queryResults
.
Browse Datasets from Google Cloud Storage on AAC
After enabling Google Cloud Storage as a Private Data Storage, users can browse and import datasets from the Default Bucket provisioned by the Admin. To browse data, follow these steps:
Sign in to your AAC workspace.
Go to the Data page.
Select Import Data. On the left pane, you should see Google Cloud Storage as an Import Data option.
Select Google Cloud Storage to access your data.