Data Source: azurermStorageAccountSas

Use this data source to obtain a Shared Access Signature (SAS Token) for an existing Storage Account.

Shared access signatures allow fine-grained, ephemeral access control to various aspects of an Azure Storage Account.

Note that this is an Account SAS and not a Service SAS.

Example Usage

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "resourceGroupName",
  }
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_1",
  {
    account_replication_type: "GRS",
    account_tier: "Standard",
    location: azurermResourceGroupExample.location,
    name: "storageaccountname",
    resource_group_name: azurermResourceGroupExample.name,
    tags: {
      environment: "staging",
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const dataAzurermStorageAccountSasExample =
  new azurerm.dataAzurermStorageAccountSas.DataAzurermStorageAccountSas(
    this,
    "example_2",
    {
      connection_string: azurermStorageAccountExample.primaryConnectionString,
      expiry: "2020-03-21T00:00:00Z",
      https_only: true,
      permissions: [
        {
          add: true,
          create: true,
          delete: false,
          filter: false,
          list: false,
          process: false,
          read: true,
          tag: false,
          update: false,
          write: true,
        },
      ],
      resource_types: [
        {
          container: false,
          object: false,
          service: true,
        },
      ],
      services: [
        {
          blob: true,
          file: false,
          queue: false,
          table: false,
        },
      ],
      signed_version: "2017-07-29",
      start: "2018-03-21T00:00:00Z",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermStorageAccountSasExample.overrideLogicalId("example");
new cdktf.TerraformOutput(this, "sas_url_query_string", {
  value: dataAzurermStorageAccountSasExample.sas,
});

Argument Reference

connectionString - The connection string for the storage account to which this SAS applies. Typically directly from the primaryConnectionString attribute of a terraform created azurermStorageAccount resource.
httpsOnly - (Optional) Only permit https access. If false, both http and https are permitted. Defaults to true.
ipAddresses - (Optional) IP address, or a range of IP addresses, from which to accept requests. When specifying a range, note that the range is inclusive.
signedVersion - (Optional) Specifies the signed storage service version to use to authorize requests made with this account SAS. Defaults to 20170729.
resourceTypes - A resourceTypes block as defined below.
services - A services block as defined below.
start - The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
expiry - The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.

-> NOTE: The ISO-8601 Time offset from UTC is currently not supported by the service, which will result into 409 error.

permissions - A permissions block as defined below.

resourceTypes is a set of true/false flags which define the storage account resource types that are granted access by this SAS. This can be thought of as the scope over which the permissions apply. A service will have larger scope (affecting all sub-resources) than object.

A resourceTypes block contains:

service - Should permission be granted to the entire service?
container - Should permission be granted to the container?
object - Should permission be granted only to a specific object?

services is a set of true/false flags which define the storage account services that are granted access by this SAS.

A services block contains:

blob - Should permission be granted to blob services within this storage account?
queue - Should permission be granted to queue services within this storage account?
table - Should permission be granted to table services within this storage account?
file - Should permission be granted to file services within this storage account?

A permissions block contains:

read - Should Read permissions be enabled for this SAS?
write - Should Write permissions be enabled for this SAS?
delete - Should Delete permissions be enabled for this SAS?
list - Should List permissions be enabled for this SAS?
add - Should Add permissions be enabled for this SAS?
create - Should Create permissions be enabled for this SAS?
update - Should Update permissions be enabled for this SAS?
process - Should Process permissions be enabled for this SAS?
tag - Should Get / Set Index Tags permissions be enabled for this SAS?
filter - Should Filter by Index Tags permissions be enabled for this SAS?

Refer to the SAS creation reference from Azure for additional details on the fields above.

Attributes Reference

sas - The computed Account Shared Access Signature (SAS).

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

read - (Defaults to 5 minutes) Used when retrieving the SAS Token.