We recommend using Azure Native.
Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
We recommend using Azure Native.
Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
Use this data source to obtain a Shared Access Signature (SAS Token) for an existing Storage Account Blob Container.
Shared access signatures allow fine-grained, ephemeral access control to various aspects of an Azure Storage Account Blob Container.
Example Usage
using Pulumi;
using Azure = Pulumi.Azure;
class MyStack : Stack
{
public MyStack()
{
var rg = new Azure.Core.ResourceGroup("rg", new Azure.Core.ResourceGroupArgs
{
Location = "West Europe",
});
var storage = new Azure.Storage.Account("storage", new Azure.Storage.AccountArgs
{
ResourceGroupName = rg.Name,
Location = rg.Location,
AccountTier = "Standard",
AccountReplicationType = "LRS",
});
var container = new Azure.Storage.Container("container", new Azure.Storage.ContainerArgs
{
StorageAccountName = storage.Name,
ContainerAccessType = "private",
});
var example = Azure.Storage.GetAccountBlobContainerSAS.Invoke(new Azure.Storage.GetAccountBlobContainerSASInvokeArgs
{
ConnectionString = storage.PrimaryConnectionString,
ContainerName = container.Name,
HttpsOnly = true,
IpAddress = "168.1.5.65",
Start = "2018-03-21",
Expiry = "2018-03-21",
Permissions = new Azure.Storage.Inputs.GetAccountBlobContainerSASPermissionsInputArgs
{
Read = true,
Add = true,
Create = false,
Write = false,
Delete = true,
List = true,
},
CacheControl = "max-age=5",
ContentDisposition = "inline",
ContentEncoding = "deflate",
ContentLanguage = "en-US",
ContentType = "application/json",
});
this.SasUrlQueryString = example.Apply(example => example.Sas);
}
[Output("sasUrlQueryString")]
public Output<string> SasUrlQueryString { get; set; }
}
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/storage"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
rg, err := core.NewResourceGroup(ctx, "rg", &core.ResourceGroupArgs{
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
storage, err := storage.NewAccount(ctx, "storage", &storage.AccountArgs{
ResourceGroupName: rg.Name,
Location: rg.Location,
AccountTier: pulumi.String("Standard"),
AccountReplicationType: pulumi.String("LRS"),
})
if err != nil {
return err
}
container, err := storage.NewContainer(ctx, "container", &storage.ContainerArgs{
StorageAccountName: storage.Name,
ContainerAccessType: pulumi.String("private"),
})
if err != nil {
return err
}
example := storage.GetAccountBlobContainerSASOutput(ctx, storage.GetAccountBlobContainerSASOutputArgs{
ConnectionString: storage.PrimaryConnectionString,
ContainerName: container.Name,
HttpsOnly: pulumi.Bool(true),
IpAddress: pulumi.String("168.1.5.65"),
Start: pulumi.String("2018-03-21"),
Expiry: pulumi.String("2018-03-21"),
Permissions: &storage.GetAccountBlobContainerSASPermissionsArgs{
Read: pulumi.Bool(true),
Add: pulumi.Bool(true),
Create: pulumi.Bool(false),
Write: pulumi.Bool(false),
Delete: pulumi.Bool(true),
List: pulumi.Bool(true),
},
CacheControl: pulumi.String("max-age=5"),
ContentDisposition: pulumi.String("inline"),
ContentEncoding: pulumi.String("deflate"),
ContentLanguage: pulumi.String("en-US"),
ContentType: pulumi.String("application/json"),
}, nil)
ctx.Export("sasUrlQueryString", example.ApplyT(func(example storage.GetAccountBlobContainerSASResult) (string, error) {
return example.Sas, nil
}).(pulumi.StringOutput))
return nil
})
}
Example coming soon!
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const rg = new azure.core.ResourceGroup("rg", {location: "West Europe"});
const storage = new azure.storage.Account("storage", {
resourceGroupName: rg.name,
location: rg.location,
accountTier: "Standard",
accountReplicationType: "LRS",
});
const container = new azure.storage.Container("container", {
storageAccountName: storage.name,
containerAccessType: "private",
});
const example = azure.storage.getAccountBlobContainerSASOutput({
connectionString: storage.primaryConnectionString,
containerName: container.name,
httpsOnly: true,
ipAddress: "168.1.5.65",
start: "2018-03-21",
expiry: "2018-03-21",
permissions: {
read: true,
add: true,
create: false,
write: false,
"delete": true,
list: true,
},
cacheControl: "max-age=5",
contentDisposition: "inline",
contentEncoding: "deflate",
contentLanguage: "en-US",
contentType: "application/json",
});
export const sasUrlQueryString = example.apply(example => example.sas);
import pulumi
import pulumi_azure as azure
rg = azure.core.ResourceGroup("rg", location="West Europe")
storage = azure.storage.Account("storage",
resource_group_name=rg.name,
location=rg.location,
account_tier="Standard",
account_replication_type="LRS")
container = azure.storage.Container("container",
storage_account_name=storage.name,
container_access_type="private")
example = azure.storage.get_account_blob_container_sas_output(connection_string=storage.primary_connection_string,
container_name=container.name,
https_only=True,
ip_address="168.1.5.65",
start="2018-03-21",
expiry="2018-03-21",
permissions=azure.storage.GetAccountBlobContainerSASPermissionsArgs(
read=True,
add=True,
create=False,
write=False,
delete=True,
list=True,
),
cache_control="max-age=5",
content_disposition="inline",
content_encoding="deflate",
content_language="en-US",
content_type="application/json")
pulumi.export("sasUrlQueryString", example.sas)
Example coming soon!
Using getAccountBlobContainerSAS
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAccountBlobContainerSAS(args: GetAccountBlobContainerSASArgs, opts?: InvokeOptions): Promise<GetAccountBlobContainerSASResult>
function getAccountBlobContainerSASOutput(args: GetAccountBlobContainerSASOutputArgs, opts?: InvokeOptions): Output<GetAccountBlobContainerSASResult>def get_account_blob_container_sas(cache_control: Optional[str] = None,
connection_string: Optional[str] = None,
container_name: Optional[str] = None,
content_disposition: Optional[str] = None,
content_encoding: Optional[str] = None,
content_language: Optional[str] = None,
content_type: Optional[str] = None,
expiry: Optional[str] = None,
https_only: Optional[bool] = None,
ip_address: Optional[str] = None,
permissions: Optional[GetAccountBlobContainerSASPermissions] = None,
start: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetAccountBlobContainerSASResult
def get_account_blob_container_sas_output(cache_control: Optional[pulumi.Input[str]] = None,
connection_string: Optional[pulumi.Input[str]] = None,
container_name: Optional[pulumi.Input[str]] = None,
content_disposition: Optional[pulumi.Input[str]] = None,
content_encoding: Optional[pulumi.Input[str]] = None,
content_language: Optional[pulumi.Input[str]] = None,
content_type: Optional[pulumi.Input[str]] = None,
expiry: Optional[pulumi.Input[str]] = None,
https_only: Optional[pulumi.Input[bool]] = None,
ip_address: Optional[pulumi.Input[str]] = None,
permissions: Optional[pulumi.Input[GetAccountBlobContainerSASPermissionsArgs]] = None,
start: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAccountBlobContainerSASResult]func GetAccountBlobContainerSAS(ctx *Context, args *GetAccountBlobContainerSASArgs, opts ...InvokeOption) (*GetAccountBlobContainerSASResult, error)
func GetAccountBlobContainerSASOutput(ctx *Context, args *GetAccountBlobContainerSASOutputArgs, opts ...InvokeOption) GetAccountBlobContainerSASResultOutput> Note: This function is named GetAccountBlobContainerSAS in the Go SDK.
public static class GetAccountBlobContainerSAS
{
public static Task<GetAccountBlobContainerSASResult> InvokeAsync(GetAccountBlobContainerSASArgs args, InvokeOptions? opts = null)
public static Output<GetAccountBlobContainerSASResult> Invoke(GetAccountBlobContainerSASInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetAccountBlobContainerSASResult> getAccountBlobContainerSAS(GetAccountBlobContainerSASArgs args, InvokeOptions options)
public static Output<GetAccountBlobContainerSASResult> getAccountBlobContainerSAS(GetAccountBlobContainerSASArgs args, InvokeOptions options)
fn::invoke:
function: azure:storage/getAccountBlobContainerSAS:getAccountBlobContainerSAS
arguments:
# arguments dictionaryThe following arguments are supported:
- Connection
String string - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of anazure.storage.Accountresource. - Container
Name string - Name of the container.
- Expiry string
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- Permissions
Get
Account Blob Container SASPermissions - A
permissionsblock as defined below. - Start string
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- Cache
Control string - The
Cache-Controlresponse header that is sent when this SAS token is used. - Content
Disposition string - The
Content-Dispositionresponse header that is sent when this SAS token is used. - Content
Encoding string - The
Content-Encodingresponse header that is sent when this SAS token is used. - Content
Language string - The
Content-Languageresponse header that is sent when this SAS token is used. - Content
Type string - The
Content-Typeresponse header that is sent when this SAS token is used. - Https
Only bool - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - Ip
Address string - Single ipv4 address or range (connected with a dash) of ipv4 addresses.
- Connection
String string - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of anazure.storage.Accountresource. - Container
Name string - Name of the container.
- Expiry string
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- Permissions
Get
Account Blob Container SASPermissions - A
permissionsblock as defined below. - Start string
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- Cache
Control string - The
Cache-Controlresponse header that is sent when this SAS token is used. - Content
Disposition string - The
Content-Dispositionresponse header that is sent when this SAS token is used. - Content
Encoding string - The
Content-Encodingresponse header that is sent when this SAS token is used. - Content
Language string - The
Content-Languageresponse header that is sent when this SAS token is used. - Content
Type string - The
Content-Typeresponse header that is sent when this SAS token is used. - Https
Only bool - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - Ip
Address string - Single ipv4 address or range (connected with a dash) of ipv4 addresses.
- connection
String String - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of anazure.storage.Accountresource. - container
Name String - Name of the container.
- expiry String
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- permissions
Get
Account Blob Container SASPermissions - A
permissionsblock as defined below. - start String
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- cache
Control String - The
Cache-Controlresponse header that is sent when this SAS token is used. - content
Disposition String - The
Content-Dispositionresponse header that is sent when this SAS token is used. - content
Encoding String - The
Content-Encodingresponse header that is sent when this SAS token is used. - content
Language String - The
Content-Languageresponse header that is sent when this SAS token is used. - content
Type String - The
Content-Typeresponse header that is sent when this SAS token is used. - https
Only Boolean - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - ip
Address String - Single ipv4 address or range (connected with a dash) of ipv4 addresses.
- connection
String string - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of anazure.storage.Accountresource. - container
Name string - Name of the container.
- expiry string
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- permissions
Get
Account Blob Container SASPermissions - A
permissionsblock as defined below. - start string
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- cache
Control string - The
Cache-Controlresponse header that is sent when this SAS token is used. - content
Disposition string - The
Content-Dispositionresponse header that is sent when this SAS token is used. - content
Encoding string - The
Content-Encodingresponse header that is sent when this SAS token is used. - content
Language string - The
Content-Languageresponse header that is sent when this SAS token is used. - content
Type string - The
Content-Typeresponse header that is sent when this SAS token is used. - https
Only boolean - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - ip
Address string - Single ipv4 address or range (connected with a dash) of ipv4 addresses.
- connection_
string str - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of anazure.storage.Accountresource. - container_
name str - Name of the container.
- expiry str
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- permissions
Get
Account Blob Container SASPermissions - A
permissionsblock as defined below. - start str
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- cache_
control str - The
Cache-Controlresponse header that is sent when this SAS token is used. - content_
disposition str - The
Content-Dispositionresponse header that is sent when this SAS token is used. - content_
encoding str - The
Content-Encodingresponse header that is sent when this SAS token is used. - content_
language str - The
Content-Languageresponse header that is sent when this SAS token is used. - content_
type str - The
Content-Typeresponse header that is sent when this SAS token is used. - https_
only bool - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - ip_
address str - Single ipv4 address or range (connected with a dash) of ipv4 addresses.
- connection
String String - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of anazure.storage.Accountresource. - container
Name String - Name of the container.
- expiry String
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- permissions Property Map
- A
permissionsblock as defined below. - start String
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- cache
Control String - The
Cache-Controlresponse header that is sent when this SAS token is used. - content
Disposition String - The
Content-Dispositionresponse header that is sent when this SAS token is used. - content
Encoding String - The
Content-Encodingresponse header that is sent when this SAS token is used. - content
Language String - The
Content-Languageresponse header that is sent when this SAS token is used. - content
Type String - The
Content-Typeresponse header that is sent when this SAS token is used. - https
Only Boolean - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - ip
Address String - Single ipv4 address or range (connected with a dash) of ipv4 addresses.
getAccountBlobContainerSAS Result
The following output properties are available:
- Connection
String string - Container
Name string - Expiry string
- Id string
- The provider-assigned unique ID for this managed resource.
- Permissions
Get
Account Blob Container SASPermissions - Sas string
- The computed Blob Container Shared Access Signature (SAS).
- Start string
- Cache
Control string - Content
Disposition string - Content
Encoding string - Content
Language string - Content
Type string - Https
Only bool - Ip
Address string
- Connection
String string - Container
Name string - Expiry string
- Id string
- The provider-assigned unique ID for this managed resource.
- Permissions
Get
Account Blob Container SASPermissions - Sas string
- The computed Blob Container Shared Access Signature (SAS).
- Start string
- Cache
Control string - Content
Disposition string - Content
Encoding string - Content
Language string - Content
Type string - Https
Only bool - Ip
Address string
- connection
String String - container
Name String - expiry String
- id String
- The provider-assigned unique ID for this managed resource.
- permissions
Get
Account Blob Container SASPermissions - sas String
- The computed Blob Container Shared Access Signature (SAS).
- start String
- cache
Control String - content
Disposition String - content
Encoding String - content
Language String - content
Type String - https
Only Boolean - ip
Address String
- connection
String string - container
Name string - expiry string
- id string
- The provider-assigned unique ID for this managed resource.
- permissions
Get
Account Blob Container SASPermissions - sas string
- The computed Blob Container Shared Access Signature (SAS).
- start string
- cache
Control string - content
Disposition string - content
Encoding string - content
Language string - content
Type string - https
Only boolean - ip
Address string
- connection_
string str - container_
name str - expiry str
- id str
- The provider-assigned unique ID for this managed resource.
- permissions
Get
Account Blob Container SASPermissions - sas str
- The computed Blob Container Shared Access Signature (SAS).
- start str
- cache_
control str - content_
disposition str - content_
encoding str - content_
language str - content_
type str - https_
only bool - ip_
address str
- connection
String String - container
Name String - expiry String
- id String
- The provider-assigned unique ID for this managed resource.
- permissions Property Map
- sas String
- The computed Blob Container Shared Access Signature (SAS).
- start String
- cache
Control String - content
Disposition String - content
Encoding String - content
Language String - content
Type String - https
Only Boolean - ip
Address String
Supporting Types
GetAccountBlobContainerSASPermissions
- Add bool
- Should Add permissions be enabled for this SAS?
- Create bool
- Should Create permissions be enabled for this SAS?
- Delete bool
- Should Delete permissions be enabled for this SAS?
- List bool
- Should List permissions be enabled for this SAS?
- Read bool
- Should Read permissions be enabled for this SAS?
- Write bool
- Should Write permissions be enabled for this SAS?
- Add bool
- Should Add permissions be enabled for this SAS?
- Create bool
- Should Create permissions be enabled for this SAS?
- Delete bool
- Should Delete permissions be enabled for this SAS?
- List bool
- Should List permissions be enabled for this SAS?
- Read bool
- Should Read permissions be enabled for this SAS?
- Write bool
- Should Write permissions be enabled for this SAS?
- add Boolean
- Should Add permissions be enabled for this SAS?
- create Boolean
- Should Create permissions be enabled for this SAS?
- delete Boolean
- Should Delete permissions be enabled for this SAS?
- list Boolean
- Should List permissions be enabled for this SAS?
- read Boolean
- Should Read permissions be enabled for this SAS?
- write Boolean
- Should Write permissions be enabled for this SAS?
- add boolean
- Should Add permissions be enabled for this SAS?
- create boolean
- Should Create permissions be enabled for this SAS?
- delete boolean
- Should Delete permissions be enabled for this SAS?
- list boolean
- Should List permissions be enabled for this SAS?
- read boolean
- Should Read permissions be enabled for this SAS?
- write boolean
- Should Write permissions be enabled for this SAS?
- add bool
- Should Add permissions be enabled for this SAS?
- create bool
- Should Create permissions be enabled for this SAS?
- delete bool
- Should Delete permissions be enabled for this SAS?
- list bool
- Should List permissions be enabled for this SAS?
- read bool
- Should Read permissions be enabled for this SAS?
- write bool
- Should Write permissions be enabled for this SAS?
- add Boolean
- Should Add permissions be enabled for this SAS?
- create Boolean
- Should Create permissions be enabled for this SAS?
- delete Boolean
- Should Delete permissions be enabled for this SAS?
- list Boolean
- Should List permissions be enabled for this SAS?
- read Boolean
- Should Read permissions be enabled for this SAS?
- write Boolean
- Should Write permissions be enabled for this SAS?
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurermTerraform Provider.
We recommend using Azure Native.
Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
