Using azure storage with authorization
TypeScriptTo use Azure Storage with authorization in Pulumi, we will create an Azure Storage Account and use Shared Access Signatures (SAS) for delegated access. We'll define a
StorageAccount
resource and aTable
within that account, setting up signed identifiers and an access policy that will allow authorized access to the storage table.Azure Storage Accounts provide a unique namespace to store and access your Azure Storage data objects. Tables in Azure Storage offer NoSQL capabilities and are suitable for storing structured, non-relational data.
Shared Access Signatures enable you to provide limited access to objects in your storage account to other clients, without exposing your account keys.
Here's how you might write the TypeScript program with Pulumi to accomplish this task:
import * as pulumi from '@pulumi/pulumi'; import * as azure_native from '@pulumi/azure-native'; // Create an Azure Resource Group const resourceGroup = new azure_native.resources.ResourceGroup('my-resource-group'); // Create an Azure Storage Account const storageAccount = new azure_native.storage.StorageAccount('mystorageaccount', { resourceGroupName: resourceGroup.name, kind: 'StorageV2', sku: { name: 'Standard_LRS', // Uses locally-redundant storage }, }); // Create an Azure Storage Table within the Storage Account const storageTable = new azure_native.storage.Table('mytable', { resourceGroupName: resourceGroup.name, accountName: storageAccount.name, tableName: 'MyDataTable', }); // Define a signed identifier with an access policy for the table const tableSas = new azure_native.storage.SignedIdentifier('my-table-sas', { tableName: storageTable.name, accountName: storageAccount.name, resourceGroupName: resourceGroup.name, id: "mysas", // This is the identifier for the SAS accessPolicy: { startTime: "2023-01-01T01:00:00Z", expiryTime: "2024-01-01T01:00:00Z", permission: "raud", // Read, Add, Update, and Delete permissions }, }); // Export the connection string for the storage account, which includes the key export const connectionString = pulumi.all([resourceGroup.name, storageAccount.name]).apply(([resourceGroupName, accountName]) => azure_native.storage.listStorageAccountKeys({ resourceGroupName, accountName }).then(keys => `DefaultEndpointsProtocol=https;AccountName=${accountName};AccountKey=${keys.keys[0].value};EndpointSuffix=core.windows.net` ) ); // Also export the SAS token for delegated access export const sasToken = tableSas.id.apply(id => `TableEndpoint=https://${storageAccount.name}.table.core.windows.net/;SharedAccessSignature=${id}` );
In this program, we are accomplishing the following:
- We create an Azure Resource Group to provide a namespace for the Azure Storage Account.
- We then define a Storage Account with the
StorageV2
kind, which is a general-purpose account that supports blobs, files, queues, tables, and disks. - We create a
Table
resource inside ourStorageAccount
which represents the table where our data will be stored. We give it the nameMyDataTable
. - We then define a
SignedIdentifier
resource, which allows us to create a Shared Access Signature (SAS) for our table. This provides access only to this specific table with defined permissions for a specified time window. - Finally, we export the connection string for the storage account and the SAS token, allowing us to connect to the storage table with proper authorization using these credentials.
You can deploy this Pulumi program by saving the code into a TypeScript file, say
index.ts
. To deploy, runpulumi up
via the Pulumi CLI, which will execute the deployment.Keep in mind that SAS should be protected as they can grant access to the data in your storage account. In a real-world application, consider generating SAS on an as-needed basis and distributing them securely to clients that need access to storage resources.