Storage authentication

Storage authentication

This page provides instructions on how to authenticate to the storage using the credentials obtained from the GET /storages/{id}/credentials API endpoint.

Prerequisites

• Storage wrapped token obtained from GET /storages/{id}/credentials API endpoint (see Get storage credentials documentation)
• curl command-line tool installed for making API requests
• Azure CLI installed for unwrapping the Vault token and accessing storage with the obtained credentials

Unwrapping the token

The returned token is a HashiCorp Vault wrapped token. You must unwrap it to obtain the actual storage credentials:

curl -X POST "https://hcp-vault.tomtomgroup.com/v1/sys/wrapping/unwrap" \
  -H "X-Vault-Token: <YOUR_WRAPPED_TOKEN>"

Unwrapped credentials response

1{
2  "request_id":"abc123",
3  "lease_id":"",
4  "renewable": false,
5  "lease_duration":0,
6  "data": {
7    "credentials":{
8      "clientId":"<client_id>",
9      "clientSecret":"<client_secret>"
10    },
11    "id":"<storage_id>",
12    "tenant_id":"<tenant_id>",
13    "url":"https://<storage_id>.blob.core.windows.net/default/"
14  },
15  "wrap_info":null,
16  "warnings":null,
17  "auth":null,
18  "mount_type":"ns_system"
19}

Unwrapped credentials fields

Using the credentials

With the unwrapped credentials, you can authorize to the storage using:

1az login --service-principal \
2  --username <client_id> \
3  --password <client_secret> \
4  --tenant <tenant_id>

Token unwrapping: The token can only be unwrapped once. After unwrapping, the original wrapped token becomes invalid.

Error responses

Next steps

• Private Data Gateway API - Learn how to manage your storage
• GEM API - Learn how to run and monitor matching jobs