» Data Source: azurerm_storage_account_sas
Use this data source to obtain a Shared Access Signature (SAS Token) for an existing Storage Account.
Shared access signatures allow fine-grained, ephemeral access control to various aspects of an Azure Storage Account.
Note that this is an Account SAS and not a Service SAS.
» Example Usage
resource "azurerm_resource_group" "testrg" {
name = "resourceGroupName"
location = "westus"
}
resource "azurerm_storage_account" "testsa" {
name = "storageaccountname"
resource_group_name = "${azurerm_resource_group.testrg.name}"
location = "westus"
account_tier = "Standard"
account_replication_type = "GRS"
tags = {
environment = "staging"
}
}
data "azurerm_storage_account_sas" "test" {
connection_string = "${azurerm_storage_account.testsa.primary_connection_string}"
https_only = true
resource_types {
service = true
container = false
object = false
}
services {
blob = true
queue = false
table = false
file = false
}
start = "2018-03-21"
expiry = "2020-03-21"
permissions {
read = true
write = true
delete = false
list = false
add = true
create = true
update = false
process = false
}
}
output "sas_url_query_string" {
value = "${data.azurerm_storage_account_sas.test.sas}"
}
» Argument Reference
-
connection_string- (Required) The connection string for the storage account to which this SAS applies. Typically directly from theprimary_connection_stringattribute of a terraform createdazurerm_storage_accountresource. -
https_only- (Optional) Only permithttpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. -
resource_types- (Required) Aresource_typesblock as defined below. -
services- (Required) Aservicesblock as defined below. -
start- (Required) The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string. -
expiry- (Required) The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string. -
permissions- (Required) Apermissionsblock as defined below.
resource_types is a set of true/false flags which define the storage account resource types that are granted
access by this SAS. This can be thought of as the scope over which the permissions apply. A service will have
larger scope (affecting all sub-resources) than object.
A resource_types block contains:
-
service- (Required) Should permission be granted to the entire service? -
container- (Required) Should permission be granted to the container? -
object- (Required) Should permission be granted only to a specific object?
services is a set of true/false flags which define the storage account services that are granted access by this SAS.
A services block contains:
-
blob- (Required) Should permission be granted toblobservices within this storage account? -
queue- (Required) Should permission be granted toqueueservices within this storage account? -
table- (Required) Should permission be granted totableservices within this storage account? -
file- (Required) Should permission be granted tofileservices within this storage account?
A permissions block contains:
-
read- (Required) Should Read permissions be enabled for this SAS? -
write- (Required) Should Write permissions be enabled for this SAS? -
delete- (Required) Should Delete permissions be enabled for this SAS? -
list- (Required) Should List permissions be enabled for this SAS? -
add- (Required) Should Add permissions be enabled for this SAS? -
create- (Required) Should Create permissions be enabled for this SAS? -
update- (Required) Should Update permissions be enabled for this SAS? -
process- (Required) Should Process permissions be enabled for this SAS?
Refer to the SAS creation reference from Azure for additional details on the fields above.
» Attributes Reference
-
sas- The computed Account Shared Access Signature (SAS).