We recommend using Azure Native.
Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
We recommend using Azure Native.
Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
Use this data source to obtain a Shared Access Signature (SAS Token) for an existing Storage Account.
Shared access signatures allow fine-grained, ephemeral access control to various aspects of an Azure Storage Account.
Note that this is an Account SAS and not a Service SAS.
Example Usage
using Pulumi;
using Azure = Pulumi.Azure;
class MyStack : Stack
{
public MyStack()
{
var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new Azure.Core.ResourceGroupArgs
{
Location = "West Europe",
});
var exampleAccount = new Azure.Storage.Account("exampleAccount", new Azure.Storage.AccountArgs
{
ResourceGroupName = exampleResourceGroup.Name,
Location = "westus",
AccountTier = "Standard",
AccountReplicationType = "GRS",
Tags =
{
{ "environment", "staging" },
},
});
var exampleAccountSAS = Azure.Storage.GetAccountSAS.Invoke(new Azure.Storage.GetAccountSASInvokeArgs
{
ConnectionString = exampleAccount.PrimaryConnectionString,
HttpsOnly = true,
SignedVersion = "2017-07-29",
ResourceTypes = new Azure.Storage.Inputs.GetAccountSASResourceTypesInputArgs
{
Service = true,
Container = false,
Object = false,
},
Services = new Azure.Storage.Inputs.GetAccountSASServicesInputArgs
{
Blob = true,
Queue = false,
Table = false,
File = false,
},
Start = "2018-03-21T00:00:00Z",
Expiry = "2020-03-21T00:00:00Z",
Permissions = new Azure.Storage.Inputs.GetAccountSASPermissionsInputArgs
{
Read = true,
Write = true,
Delete = false,
List = false,
Add = true,
Create = true,
Update = false,
Process = false,
},
});
this.SasUrlQueryString = exampleAccountSAS.Apply(exampleAccountSAS => exampleAccountSAS.Sas);
}
[Output("sasUrlQueryString")]
public Output<string> SasUrlQueryString { get; set; }
}
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/storage"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleAccount, err := storage.NewAccount(ctx, "exampleAccount", &storage.AccountArgs{
ResourceGroupName: exampleResourceGroup.Name,
Location: pulumi.String("westus"),
AccountTier: pulumi.String("Standard"),
AccountReplicationType: pulumi.String("GRS"),
Tags: pulumi.StringMap{
"environment": pulumi.String("staging"),
},
})
if err != nil {
return err
}
exampleAccountSAS := storage.GetAccountSASOutput(ctx, storage.GetAccountSASOutputArgs{
ConnectionString: exampleAccount.PrimaryConnectionString,
HttpsOnly: pulumi.Bool(true),
SignedVersion: pulumi.String("2017-07-29"),
ResourceTypes: &storage.GetAccountSASResourceTypesArgs{
Service: pulumi.Bool(true),
Container: pulumi.Bool(false),
Object: pulumi.Bool(false),
},
Services: &storage.GetAccountSASServicesArgs{
Blob: pulumi.Bool(true),
Queue: pulumi.Bool(false),
Table: pulumi.Bool(false),
File: pulumi.Bool(false),
},
Start: pulumi.String("2018-03-21T00:00:00Z"),
Expiry: pulumi.String("2020-03-21T00:00:00Z"),
Permissions: &storage.GetAccountSASPermissionsArgs{
Read: pulumi.Bool(true),
Write: pulumi.Bool(true),
Delete: pulumi.Bool(false),
List: pulumi.Bool(false),
Add: pulumi.Bool(true),
Create: pulumi.Bool(true),
Update: pulumi.Bool(false),
Process: pulumi.Bool(false),
},
}, nil)
ctx.Export("sasUrlQueryString", exampleAccountSAS.ApplyT(func(exampleAccountSAS storage.GetAccountSASResult) (string, error) {
return exampleAccountSAS.Sas, nil
}).(pulumi.StringOutput))
return nil
})
}
Example coming soon!
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleAccount = new azure.storage.Account("exampleAccount", {
resourceGroupName: exampleResourceGroup.name,
location: "westus",
accountTier: "Standard",
accountReplicationType: "GRS",
tags: {
environment: "staging",
},
});
const exampleAccountSAS = azure.storage.getAccountSASOutput({
connectionString: exampleAccount.primaryConnectionString,
httpsOnly: true,
signedVersion: "2017-07-29",
resourceTypes: {
service: true,
container: false,
object: false,
},
services: {
blob: true,
queue: false,
table: false,
file: false,
},
start: "2018-03-21T00:00:00Z",
expiry: "2020-03-21T00:00:00Z",
permissions: {
read: true,
write: true,
"delete": false,
list: false,
add: true,
create: true,
update: false,
process: false,
},
});
export const sasUrlQueryString = exampleAccountSAS.apply(exampleAccountSAS => exampleAccountSAS.sas);
import pulumi
import pulumi_azure as azure
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_account = azure.storage.Account("exampleAccount",
resource_group_name=example_resource_group.name,
location="westus",
account_tier="Standard",
account_replication_type="GRS",
tags={
"environment": "staging",
})
example_account_sas = azure.storage.get_account_sas_output(connection_string=example_account.primary_connection_string,
https_only=True,
signed_version="2017-07-29",
resource_types=azure.storage.GetAccountSASResourceTypesArgs(
service=True,
container=False,
object=False,
),
services=azure.storage.GetAccountSASServicesArgs(
blob=True,
queue=False,
table=False,
file=False,
),
start="2018-03-21T00:00:00Z",
expiry="2020-03-21T00:00:00Z",
permissions=azure.storage.GetAccountSASPermissionsArgs(
read=True,
write=True,
delete=False,
list=False,
add=True,
create=True,
update=False,
process=False,
))
pulumi.export("sasUrlQueryString", example_account_sas.sas)
Example coming soon!
Using getAccountSAS
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAccountSAS(args: GetAccountSASArgs, opts?: InvokeOptions): Promise<GetAccountSASResult>
function getAccountSASOutput(args: GetAccountSASOutputArgs, opts?: InvokeOptions): Output<GetAccountSASResult>def get_account_sas(connection_string: Optional[str] = None,
expiry: Optional[str] = None,
https_only: Optional[bool] = None,
ip_addresses: Optional[str] = None,
permissions: Optional[GetAccountSASPermissions] = None,
resource_types: Optional[GetAccountSASResourceTypes] = None,
services: Optional[GetAccountSASServices] = None,
signed_version: Optional[str] = None,
start: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetAccountSASResult
def get_account_sas_output(connection_string: Optional[pulumi.Input[str]] = None,
expiry: Optional[pulumi.Input[str]] = None,
https_only: Optional[pulumi.Input[bool]] = None,
ip_addresses: Optional[pulumi.Input[str]] = None,
permissions: Optional[pulumi.Input[GetAccountSASPermissionsArgs]] = None,
resource_types: Optional[pulumi.Input[GetAccountSASResourceTypesArgs]] = None,
services: Optional[pulumi.Input[GetAccountSASServicesArgs]] = None,
signed_version: Optional[pulumi.Input[str]] = None,
start: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAccountSASResult]func GetAccountSAS(ctx *Context, args *GetAccountSASArgs, opts ...InvokeOption) (*GetAccountSASResult, error)
func GetAccountSASOutput(ctx *Context, args *GetAccountSASOutputArgs, opts ...InvokeOption) GetAccountSASResultOutput> Note: This function is named GetAccountSAS in the Go SDK.
public static class GetAccountSAS
{
public static Task<GetAccountSASResult> InvokeAsync(GetAccountSASArgs args, InvokeOptions? opts = null)
public static Output<GetAccountSASResult> Invoke(GetAccountSASInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetAccountSASResult> getAccountSAS(GetAccountSASArgs args, InvokeOptions options)
public static Output<GetAccountSASResult> getAccountSAS(GetAccountSASArgs args, InvokeOptions options)
fn::invoke:
function: azure:storage/getAccountSAS:getAccountSAS
arguments:
# arguments dictionaryThe following arguments are supported:
- Connection
String string - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of aazure.storage.Accountresource. - Expiry string
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- Permissions
Get
Account SASPermissions - A
permissionsblock as defined below. - Resource
Types GetAccount SASResource Types - A
resource_typesblock as defined below. - Services
Get
Account SASServices - A
servicesblock as defined below. - Start string
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- Https
Only bool - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - Ip
Addresses string - IP address, or a range of IP addresses, from which to accept requests. When specifying a range, note that the range is inclusive.
- Signed
Version string - Specifies the signed storage service version to use to authorize requests made with this account SAS. Defaults to
2017-07-29.
- Connection
String string - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of aazure.storage.Accountresource. - Expiry string
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- Permissions
Get
Account SASPermissions - A
permissionsblock as defined below. - Resource
Types GetAccount SASResource Types - A
resource_typesblock as defined below. - Services
Get
Account SASServices - A
servicesblock as defined below. - Start string
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- Https
Only bool - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - Ip
Addresses string - IP address, or a range of IP addresses, from which to accept requests. When specifying a range, note that the range is inclusive.
- Signed
Version string - Specifies the signed storage service version to use to authorize requests made with this account SAS. Defaults to
2017-07-29.
- connection
String String - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of aazure.storage.Accountresource. - expiry String
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- permissions
Get
Account SASPermissions - A
permissionsblock as defined below. - resource
Types GetAccount SASResource Types - A
resource_typesblock as defined below. - services
Get
Account SASServices - A
servicesblock as defined below. - start String
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- https
Only Boolean - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - ip
Addresses String - IP address, or a range of IP addresses, from which to accept requests. When specifying a range, note that the range is inclusive.
- signed
Version String - Specifies the signed storage service version to use to authorize requests made with this account SAS. Defaults to
2017-07-29.
- connection
String string - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of aazure.storage.Accountresource. - expiry string
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- permissions
Get
Account SASPermissions - A
permissionsblock as defined below. - resource
Types GetAccount SASResource Types - A
resource_typesblock as defined below. - services
Get
Account SASServices - A
servicesblock as defined below. - start string
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- https
Only boolean - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - ip
Addresses string - IP address, or a range of IP addresses, from which to accept requests. When specifying a range, note that the range is inclusive.
- signed
Version string - Specifies the signed storage service version to use to authorize requests made with this account SAS. Defaults to
2017-07-29.
- connection_
string str - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of aazure.storage.Accountresource. - expiry str
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- permissions
Get
Account SASPermissions - A
permissionsblock as defined below. - resource_
types GetAccount SASResource Types - A
resource_typesblock as defined below. - services
Get
Account SASServices - A
servicesblock as defined below. - start str
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- https_
only bool - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - ip_
addresses str - IP address, or a range of IP addresses, from which to accept requests. When specifying a range, note that the range is inclusive.
- signed_
version str - Specifies the signed storage service version to use to authorize requests made with this account SAS. Defaults to
2017-07-29.
- connection
String String - The connection string for the storage account to which this SAS applies. Typically directly from the
primary_connection_stringattribute of aazure.storage.Accountresource. - expiry String
- The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string.
- permissions Property Map
- A
permissionsblock as defined below. - resource
Types Property Map - A
resource_typesblock as defined below. - services Property Map
- A
servicesblock as defined below. - start String
- The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string.
- https
Only Boolean - Only permit
httpsaccess. Iffalse, bothhttpandhttpsare permitted. Defaults totrue. - ip
Addresses String - IP address, or a range of IP addresses, from which to accept requests. When specifying a range, note that the range is inclusive.
- signed
Version String - Specifies the signed storage service version to use to authorize requests made with this account SAS. Defaults to
2017-07-29.
getAccountSAS Result
The following output properties are available:
- Connection
String string - Expiry string
- Id string
- The provider-assigned unique ID for this managed resource.
- Permissions
Get
Account SASPermissions - Resource
Types GetAccount SASResource Types - Sas string
- The computed Account Shared Access Signature (SAS).
- Services
Get
Account SASServices - Start string
- Https
Only bool - Ip
Addresses string - Signed
Version string
- Connection
String string - Expiry string
- Id string
- The provider-assigned unique ID for this managed resource.
- Permissions
Get
Account SASPermissions - Resource
Types GetAccount SASResource Types - Sas string
- The computed Account Shared Access Signature (SAS).
- Services
Get
Account SASServices - Start string
- Https
Only bool - Ip
Addresses string - Signed
Version string
- connection
String String - expiry String
- id String
- The provider-assigned unique ID for this managed resource.
- permissions
Get
Account SASPermissions - resource
Types GetAccount SASResource Types - sas String
- The computed Account Shared Access Signature (SAS).
- services
Get
Account SASServices - start String
- https
Only Boolean - ip
Addresses String - signed
Version String
- connection
String string - expiry string
- id string
- The provider-assigned unique ID for this managed resource.
- permissions
Get
Account SASPermissions - resource
Types GetAccount SASResource Types - sas string
- The computed Account Shared Access Signature (SAS).
- services
Get
Account SASServices - start string
- https
Only boolean - ip
Addresses string - signed
Version string
- connection_
string str - expiry str
- id str
- The provider-assigned unique ID for this managed resource.
- permissions
Get
Account SASPermissions - resource_
types GetAccount SASResource Types - sas str
- The computed Account Shared Access Signature (SAS).
- services
Get
Account SASServices - start str
- https_
only bool - ip_
addresses str - signed_
version str
- connection
String String - expiry String
- id String
- The provider-assigned unique ID for this managed resource.
- permissions Property Map
- resource
Types Property Map - sas String
- The computed Account Shared Access Signature (SAS).
- services Property Map
- start String
- https
Only Boolean - ip
Addresses String - signed
Version String
Supporting Types
GetAccountSASPermissions
- Add bool
- Should Add permissions be enabled for this SAS?
- Create bool
- Should Create permissions be enabled for this SAS?
- Delete bool
- Should Delete permissions be enabled for this SAS?
- List bool
- Should List permissions be enabled for this SAS?
- Process bool
- Should Process permissions be enabled for this SAS?
- Read bool
- Should Read permissions be enabled for this SAS?
- Update bool
- Should Update permissions be enabled for this SAS?
- Write bool
- Should Write permissions be enabled for this SAS?
- Add bool
- Should Add permissions be enabled for this SAS?
- Create bool
- Should Create permissions be enabled for this SAS?
- Delete bool
- Should Delete permissions be enabled for this SAS?
- List bool
- Should List permissions be enabled for this SAS?
- Process bool
- Should Process permissions be enabled for this SAS?
- Read bool
- Should Read permissions be enabled for this SAS?
- Update bool
- Should Update permissions be enabled for this SAS?
- Write bool
- Should Write permissions be enabled for this SAS?
- add Boolean
- Should Add permissions be enabled for this SAS?
- create Boolean
- Should Create permissions be enabled for this SAS?
- delete Boolean
- Should Delete permissions be enabled for this SAS?
- list Boolean
- Should List permissions be enabled for this SAS?
- process Boolean
- Should Process permissions be enabled for this SAS?
- read Boolean
- Should Read permissions be enabled for this SAS?
- update Boolean
- Should Update permissions be enabled for this SAS?
- write Boolean
- Should Write permissions be enabled for this SAS?
- add boolean
- Should Add permissions be enabled for this SAS?
- create boolean
- Should Create permissions be enabled for this SAS?
- delete boolean
- Should Delete permissions be enabled for this SAS?
- list boolean
- Should List permissions be enabled for this SAS?
- process boolean
- Should Process permissions be enabled for this SAS?
- read boolean
- Should Read permissions be enabled for this SAS?
- update boolean
- Should Update permissions be enabled for this SAS?
- write boolean
- Should Write permissions be enabled for this SAS?
- add bool
- Should Add permissions be enabled for this SAS?
- create bool
- Should Create permissions be enabled for this SAS?
- delete bool
- Should Delete permissions be enabled for this SAS?
- list bool
- Should List permissions be enabled for this SAS?
- process bool
- Should Process permissions be enabled for this SAS?
- read bool
- Should Read permissions be enabled for this SAS?
- update bool
- Should Update permissions be enabled for this SAS?
- write bool
- Should Write permissions be enabled for this SAS?
- add Boolean
- Should Add permissions be enabled for this SAS?
- create Boolean
- Should Create permissions be enabled for this SAS?
- delete Boolean
- Should Delete permissions be enabled for this SAS?
- list Boolean
- Should List permissions be enabled for this SAS?
- process Boolean
- Should Process permissions be enabled for this SAS?
- read Boolean
- Should Read permissions be enabled for this SAS?
- update Boolean
- Should Update permissions be enabled for this SAS?
- write Boolean
- Should Write permissions be enabled for this SAS?
GetAccountSASResourceTypes
GetAccountSASServices
- Blob bool
- Should permission be granted to
blobservices within this storage account? - File bool
- Should permission be granted to
fileservices within this storage account? - Queue bool
- Should permission be granted to
queueservices within this storage account? - Table bool
- Should permission be granted to
tableservices within this storage account?
- Blob bool
- Should permission be granted to
blobservices within this storage account? - File bool
- Should permission be granted to
fileservices within this storage account? - Queue bool
- Should permission be granted to
queueservices within this storage account? - Table bool
- Should permission be granted to
tableservices within this storage account?
- blob Boolean
- Should permission be granted to
blobservices within this storage account? - file Boolean
- Should permission be granted to
fileservices within this storage account? - queue Boolean
- Should permission be granted to
queueservices within this storage account? - table Boolean
- Should permission be granted to
tableservices within this storage account?
- blob boolean
- Should permission be granted to
blobservices within this storage account? - file boolean
- Should permission be granted to
fileservices within this storage account? - queue boolean
- Should permission be granted to
queueservices within this storage account? - table boolean
- Should permission be granted to
tableservices within this storage account?
- blob bool
- Should permission be granted to
blobservices within this storage account? - file bool
- Should permission be granted to
fileservices within this storage account? - queue bool
- Should permission be granted to
queueservices within this storage account? - table bool
- Should permission be granted to
tableservices within this storage account?
- blob Boolean
- Should permission be granted to
blobservices within this storage account? - file Boolean
- Should permission be granted to
fileservices within this storage account? - queue Boolean
- Should permission be granted to
queueservices within this storage account? - table Boolean
- Should permission be granted to
tableservices within this storage account?
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurermTerraform Provider.
We recommend using Azure Native.
Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
