Data Source: azurermStorageAccountSas
Use this data source to obtain a Shared Access Signature (SAS Token) for an existing Storage Account.
Shared access signatures allow fine-grained, ephemeral access control to various aspects of an Azure Storage Account.
Note that this is an Account SAS and not a Service SAS.
Example Usage
import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "resourceGroupName",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_1",
{
account_replication_type: "GRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "storageaccountname",
resource_group_name: azurermResourceGroupExample.name,
tags: {
environment: "staging",
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const dataAzurermStorageAccountSasExample =
new azurerm.dataAzurermStorageAccountSas.DataAzurermStorageAccountSas(
this,
"example_2",
{
connection_string: azurermStorageAccountExample.primaryConnectionString,
expiry: "2020-03-21T00:00:00Z",
https_only: true,
permissions: [
{
add: true,
create: true,
delete: false,
filter: false,
list: false,
process: false,
read: true,
tag: false,
update: false,
write: true,
},
],
resource_types: [
{
container: false,
object: false,
service: true,
},
],
services: [
{
blob: true,
file: false,
queue: false,
table: false,
},
],
signed_version: "2017-07-29",
start: "2018-03-21T00:00:00Z",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermStorageAccountSasExample.overrideLogicalId("example");
new cdktf.TerraformOutput(this, "sas_url_query_string", {
value: dataAzurermStorageAccountSasExample.sas,
});
Argument Reference
connectionString
- The connection string for the storage account to which this SAS applies. Typically directly from theprimaryConnectionString
attribute of a terraform createdazurermStorageAccount
resource.httpsOnly
- (Optional) Only permithttps
access. Iffalse
, bothhttp
andhttps
are permitted. Defaults totrue
.ipAddresses
- (Optional) IP address, or a range of IP addresses, from which to accept requests. When specifying a range, note that the range is inclusive.signedVersion
- (Optional) Specifies the signed storage service version to use to authorize requests made with this account SAS. Defaults to20170729
.resourceTypes
- AresourceTypes
block as defined below.services
- Aservices
block as defined below.start
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.expiry
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
-> NOTE: The ISO-8601 Time offset from UTC is currently not supported by the service, which will result into 409 error.
permissions
- Apermissions
block as defined below.
resourceTypes
is a set of true
/false
flags which define the storage account resource types that are granted access by this SAS. This can be thought of as the scope over which the permissions apply. A service
will have larger scope (affecting all sub-resources) than object
.
A resourceTypes
block contains:
service
- Should permission be granted to the entire service?container
- Should permission be granted to the container?object
- Should permission be granted only to a specific object?
services
is a set of true
/false
flags which define the storage account services that are granted access by this SAS.
A services
block contains:
blob
- Should permission be granted toblob
services within this storage account?queue
- Should permission be granted toqueue
services within this storage account?table
- Should permission be granted totable
services within this storage account?file
- Should permission be granted tofile
services within this storage account?
A permissions
block contains:
read
- Should Read permissions be enabled for this SAS?write
- Should Write permissions be enabled for this SAS?delete
- Should Delete permissions be enabled for this SAS?list
- Should List permissions be enabled for this SAS?add
- Should Add permissions be enabled for this SAS?create
- Should Create permissions be enabled for this SAS?update
- Should Update permissions be enabled for this SAS?process
- Should Process permissions be enabled for this SAS?tag
- Should Get / Set Index Tags permissions be enabled for this SAS?filter
- Should Filter by Index Tags permissions be enabled for this SAS?
Refer to the SAS creation reference from Azure for additional details on the fields above.
Attributes Reference
sas
- The computed Account Shared Access Signature (SAS).
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
read
- (Defaults to 5 minutes) Used when retrieving the SAS Token.