private Secret CreateSasTokenSecret(RetrieveSecretsRequest request, string secretValue) { var resourceTypeVariableName = $"{request.Name}_ResourceType"; var resourceType = GetSecretStoreValue(resourceTypeVariableName); if (string.IsNullOrEmpty(resourceType)) { throw new ArgumentNullException($"Missing environment variable {resourceTypeVariableName} that stores the resource type for secret {request.Name}"); } switch (resourceType.ToLowerInvariant()) { case "storagekey": return(CreateAzureStorageSasTokenSecret(request, secretValue)); default: throw new NotSupportedException($"Unknown resource type {resourceType} for secret named {request.Name}. Check environment variable {resourceTypeVariableName} has a valid value."); } }
private Secret CreateAzureStorageSasTokenSecret(RetrieveSecretsRequest request, string secretValue) { // In this case, the environment variable is expected to hold an Azure Storage connection string var cloudStorageAccount = CloudStorageAccount.Parse(secretValue); // Create a godlike SAS token for the account, so that we don't need to reimplement the Central Secrets Service. var sasToken = cloudStorageAccount.GetSharedAccessSignature(new SharedAccessAccountPolicy { SharedAccessExpiryTime = null, Permissions = SharedAccessAccountPermissions.Add | SharedAccessAccountPermissions.Create | SharedAccessAccountPermissions.Delete | SharedAccessAccountPermissions.List | SharedAccessAccountPermissions.ProcessMessages | SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Update | SharedAccessAccountPermissions.Write, Services = SharedAccessAccountServices.Blob, ResourceTypes = SharedAccessAccountResourceTypes.Object | SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Service, Protocols = SharedAccessProtocol.HttpsOnly, IPAddressOrRange = null, }); var internalSasToken = new SasToken() { Token = sasToken, StorageAccount = cloudStorageAccount.Credentials.AccountName, }; return(new UpdatingSasToken(internalSasToken)); }