private Secret CreateSasTokenSecret(RetrieveSecretsRequest request, string secretValue)
{
var resourceTypeVariableName = $"{request.Name}_ResourceType";
var resourceType = GetSecretStoreValue(resourceTypeVariableName);
if (string.IsNullOrEmpty(resourceType))
{
throw new ArgumentNullException($"Missing environment variable {resourceTypeVariableName} that stores the resource type for secret {request.Name}");
}
switch (resourceType.ToLowerInvariant())
{
case "storagekey":
return(CreateAzureStorageSasTokenSecret(request, secretValue));
default:
throw new NotSupportedException($"Unknown resource type {resourceType} for secret named {request.Name}. Check environment variable {resourceTypeVariableName} has a valid value.");
}
}
private Secret CreateAzureStorageSasTokenSecret(RetrieveSecretsRequest request, string secretValue)
{
// In this case, the environment variable is expected to hold an Azure Storage connection string
var cloudStorageAccount = CloudStorageAccount.Parse(secretValue);
// Create a godlike SAS token for the account, so that we don't need to reimplement the Central Secrets Service.
var sasToken = cloudStorageAccount.GetSharedAccessSignature(new SharedAccessAccountPolicy
{
SharedAccessExpiryTime = null,
Permissions = SharedAccessAccountPermissions.Add | SharedAccessAccountPermissions.Create | SharedAccessAccountPermissions.Delete | SharedAccessAccountPermissions.List | SharedAccessAccountPermissions.ProcessMessages | SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Update | SharedAccessAccountPermissions.Write,
Services = SharedAccessAccountServices.Blob,
ResourceTypes = SharedAccessAccountResourceTypes.Object | SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Service,
Protocols = SharedAccessProtocol.HttpsOnly,
IPAddressOrRange = null,
});
var internalSasToken = new SasToken()
{
Token = sasToken,
StorageAccount = cloudStorageAccount.Credentials.AccountName,
};
return(new UpdatingSasToken(internalSasToken));
}
