Storage authentication

This page provides instructions on how to authenticate to the storage using the credentials obtained from the GET /storages/{id}/credentials API endpoint.

Prerequisites

Storage wrapped token obtained from GET /storages/{id}/credentials API endpoint (see Get storage credentials documentation)
curl command-line tool installed for making API requests
Azure CLI installed for unwrapping the Vault token and accessing storage with the obtained credentials

Unwrapping the token

The returned token is a HashiCorp Vault wrapped token. You must unwrap it to obtain the actual storage credentials:

post

Unwrap vault token

1
curl -X POST "https://hcp-vault.tomtomgroup.com/v1/sys/wrapping/unwrap" \
2
  -H "X-Vault-Token: <YOUR_WRAPPED_TOKEN>"

Unwrapped credentials response

1
{
2
  "request_id":"abc123",
3
  "lease_id":"",
4
  "renewable": false,
5
  "lease_duration":0,
6
  "data": {
7
    "credentials":{
8
      "clientId":"<client_id>",
9
      "clientSecret":"<client_secret>"
10
    },
11
    "id":"<storage_id>",
12
    "tenant_id":"<tenant_id>",
13
    "url":"https://<storage_id>.blob.core.windows.net/default/"
14
  },
15
  "wrap_info":null,
16
  "warnings":null,
17
  "auth":null,
18
  "mount_type":"ns_system"
19
}

Unwrapped credentials fields

Field	Type	Description
`data.credentials.clientId`	string	Client ID for accessing Azure storage
`data.credentials.clientSecret`	string	Client secret for Azure storage authentication
`data.id`	string	Storage identifier (matches storage ID)
`data.tenant_id`	string \| null	Azure tenant ID (if applicable)
`data.url`	string	Azure Blob Storage URL for the storage location

Using the credentials

With the unwrapped credentials, you can authorize to the storage using:

1
az login --service-principal \
2
  --username <client_id> \
3
  --password <client_secret> \
4
  --tenant <tenant_id>

Token unwrapping: The token can only be unwrapped once. After unwrapping, the original wrapped token becomes invalid.

Error responses

HTTP Status	Error	Cause	Solution
401	Unauthorized	Invalid credentials	Refresh API key or token
403	Forbidden	Insufficient permissions	Check your access rights
404	Not Found	Storage not found	Verify storage ID
500	Internal Server Error	Server-side issue	Retry the request

Next steps

Private Data Gateway API - Learn how to manage your storage
GEM API - Learn how to run and monitor matching jobs