import type { TokenCredential } from "@azure/core-auth"; import { BlobServiceClient } from "@azure/storage-blob"; import type { Adapter } from "../index.js"; import { FilesError } from "../internal/errors.js"; export interface AzureAdapterOptions { /** * Azure container name. Surfaced as `bucket` on the returned adapter for * cross-adapter API consistency (S3/R2/GCS/MinIO all expose `bucket`). * Azure's own term is "container". */ container: string; /** * Full connection string (`DefaultEndpointsProtocol=...;AccountName=...; * AccountKey=...;EndpointSuffix=core.windows.net`). Highest precedence. * Falls back to `AZURE_STORAGE_CONNECTION_STRING`. * * The adapter parses out `AccountName` + `AccountKey` so `url()` and * `signedUploadUrl()` can mint new SAS without a separate credential. */ connectionString?: string; /** * Storage account name (e.g. `mystorageaccount`). Used with `accountKey`, * `sasToken`, or anonymously. Falls back to `AZURE_STORAGE_ACCOUNT_NAME`, * then `AZURE_STORAGE_ACCOUNT` (the Azure CLI uses both at different times). */ accountName?: string; /** * Shared-key (account key). Required to sign URLs with shared-key * credentials. Falls back to `AZURE_STORAGE_ACCOUNT_KEY`, then * `AZURE_STORAGE_KEY`. */ accountKey?: string; /** * Microsoft Entra credential used for Azure AD / Managed Identity workloads. * When supplied without a shared key, reads/writes/listing use token-based * auth and `url()` / `signedUploadUrl()` mint User Delegation SAS URLs. * * The principal must be allowed to access blob data and call * `Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action` * (for example via Storage Blob Delegator at the account scope). */ credential?: TokenCredential; /** * Controls whether `credential`-backed adapters mint User Delegation SAS * URLs. Defaults to true when `credential` is supplied. Set false only when * you want token-authenticated SDK operations but no signed URL support. */ useUserDelegationSas?: boolean; /** * Pre-issued SAS token (with or without leading `?`). When set without * `accountKey`, `url()` and `signedUploadUrl()` cannot mint new SAS — they * throw a Provider error. Reading/writing/listing still works as long as * the SAS has the relevant permissions. */ sasToken?: string; /** * Override the service endpoint host. Defaults to * `https://${accountName}.blob.core.windows.net`. Used for Azurite * (`http://127.0.0.1:10000/devstoreaccount1`) or sovereign clouds * (`*.blob.core.usgovcloudapi.net`, `*.blob.core.chinacloudapi.cn`). */ endpoint?: string; /** * Origin used to build URLs from `url()`. When set, `url(key)` returns * `${publicBaseUrl}/${key}` and skips signing — appropriate for a public * container (`Blob` or `Container` access level) or a CDN * (`*.azureedge.net`) in front of the account. */ publicBaseUrl?: string; /** * Default expiry, in seconds, for the SAS read URLs returned by `url()` * when `publicBaseUrl` is not set. Defaults to 3600 (1 hour). Per-call * `url(key, { expiresIn })` overrides. */ defaultUrlExpiresIn?: number; } export type AzureAdapter = Adapter & { readonly bucket: string; }; export declare const mapAzureError: (err: unknown) => FilesError; export declare const azure: (opts: AzureAdapterOptions) => AzureAdapter; //# sourceMappingURL=index.d.ts.map