How to: Create SAS with multiple permissions in Pulumi
In Pulumi, when calling pulumi_azure_native.storage.list_storage_account_service_sas_output() to generate a SAS, you pass the required permissions to the permissions: Input[str | Permissions | None]
parameter. pulumi_azure_native.storage.Permissions
is an enum, offering simple selections (R
, L
etc.):
# Create a shared access signature scoped to the container app_container_signature = ( pulumi.Output.all(resource_group.name, storage_account.name, app_container.name) .apply( lambda args: azure_native.storage.list_storage_account_service_sas_output( resource_group_name=args[0], account_name=args[1], protocols=azure_native.storage.HttpProtocol.HTTPS, shared_access_start_time="2022-01-01", shared_access_expiry_time="2030-01-01", resource=azure_native.storage.SignedResource.C, permissions=azure_native.storage.Permissions.R, content_type="application/json", cache_control="max-age=5", content_disposition="inline", content_encoding="deflate", canonicalized_resource=f"/blob/{args[1]}/{args[2]}", ) ) .apply(lambda result: pulumi.Output.secret(result.service_sas_token)) )
But you can also pass a string of permissions, any of R
, L
, D
, W
, C
, A
, or P
, depending on the actions you want to allow for the SAS. This allows you to specify permissions for reading (R
), listing (L
), deleting (D
), writing (W
), creating (C
), adding (A
), or processing (P
) blobs within the container, such as permissions="RWL"
:
app_container_signature = ( pulumi.Output.all(resource_group.name, storage_account.name, app_container.name) .apply( lambda args: azure_native.storage.list_storage_account_service_sas_output( resource_group_name=args[0], account_name=args[1], protocols=azure_native.storage.HttpProtocol.HTTPS, shared_access_start_time="2022-01-01", shared_access_expiry_time="2030-01-01", resource=azure_native.storage.SignedResource.C, permissions="RWL", content_type="application/json", cache_control="max-age=5", content_disposition="inline", content_encoding="deflate", canonicalized_resource=f"/blob/{args[1]}/{args[2]}", ) ) .apply(lambda result: pulumi.Output.secret(result.service_sas_token)) )