Skip to content

Data Source: azurermStorageAccountBlobContainerSas

Use this data source to obtain a Shared Access Signature (SAS Token) for an existing Storage Account Blob Container.

Shared access signatures allow fine-grained, ephemeral access control to various aspects of an Azure Storage Account Blob Container.

Example Usage

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupRg = new azurerm.resourceGroup.ResourceGroup(
  this,
  "rg",
  {
    location: "West Europe",
    name: "resourceGroupName",
  }
);
const azurermStorageAccountStorage = new azurerm.storageAccount.StorageAccount(
  this,
  "storage",
  {
    account_replication_type: "LRS",
    account_tier: "Standard",
    location: azurermResourceGroupRg.location,
    name: "storageaccountname",
    resource_group_name: azurermResourceGroupRg.name,
  }
);
const azurermStorageContainerContainer =
  new azurerm.storageContainer.StorageContainer(this, "container", {
    container_access_type: "private",
    name: "mycontainer",
    storage_account_name: azurermStorageAccountStorage.name,
  });
const dataAzurermStorageAccountBlobContainerSasExample =
  new azurerm.dataAzurermStorageAccountBlobContainerSas.DataAzurermStorageAccountBlobContainerSas(
    this,
    "example",
    {
      cache_control: "max-age=5",
      connection_string: azurermStorageAccountStorage.primaryConnectionString,
      container_name: azurermStorageContainerContainer.name,
      content_disposition: "inline",
      content_encoding: "deflate",
      content_language: "en-US",
      content_type: "application/json",
      expiry: "2018-03-21",
      https_only: true,
      ip_address: "168.1.5.65",
      permissions: [
        {
          add: true,
          create: false,
          delete: true,
          list: true,
          read: true,
          write: false,
        },
      ],
      start: "2018-03-21",
    }
  );
new cdktf.TerraformOutput(this, "sas_url_query_string", {
  value: dataAzurermStorageAccountBlobContainerSasExample.sas,
});

Argument Reference

  • connectionString - The connection string for the storage account to which this SAS applies. Typically directly from the primaryConnectionString attribute of a terraform created azurermStorageAccount resource.

  • containerName - Name of the container.

  • httpsOnly - (Optional) Only permit https access. If false, both http and https are permitted. Defaults to true.

  • ipAddress - (Optional) Single IPv4 address or range (connected with a dash) of IPv4 addresses.

  • start - The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.

  • expiry - The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.

-> NOTE: The ISO-8601 Time offset from UTC is currently not supported by the service, which will result into 409 error.

  • permissions - A permissions block as defined below.

  • cacheControl - (Optional) The cacheControl response header that is sent when this SAS token is used.

  • contentDisposition - (Optional) The contentDisposition response header that is sent when this SAS token is used.

  • contentEncoding - (Optional) The contentEncoding response header that is sent when this SAS token is used.

  • contentLanguage - (Optional) The contentLanguage response header that is sent when this SAS token is used.

  • contentType - (Optional) The contentType response header that is sent when this SAS token is used.

A permissions block contains:

  • read - Should Read permissions be enabled for this SAS?

  • add - Should Add permissions be enabled for this SAS?

  • create - Should Create permissions be enabled for this SAS?

  • write - Should Write permissions be enabled for this SAS?

  • delete - Should Delete permissions be enabled for this SAS?

  • list - Should List permissions be enabled for this SAS?

Refer to the SAS creation reference from Azure for additional details on the fields above.

Attributes Reference

  • sas - The computed Blob Container Shared Access Signature (SAS).

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • read - (Defaults to 5 minutes) Used when retrieving the Blob Container.