Does anyone have some ideas/samples of how I can create a storage account policy and off that a SAS token - allowing the rest of my build pipeline to use that as a connection string? End goal: don't expose the account keys, make it possible for the build pipeline to publish a nuget package (via sleet - which uses a connection string).

No examples, but ARM does not expose an API to make a stored access policy with IaC. Could look into adding a PowerShell task to your pipeline to generate the stored access policy. https://docs.microsoft.com/en-us/powershell/module/az.storage/new-azstoragecontainerstoredaccesspolicy?view=azps-7.5.0

That is valuable info, now it makes sense why I can't find the API calls 🙂 I'll take a look at your advice or just script the whole part - its a bootstrapping phase anyway so won't happen often (still don't like the taste but I don't have all day either). Thank you!

I spend more time reading the ARM documentation than on Pulumi registry. I also might be wrong, I looked at the blob service ARM yesterday. Not sure what the sasPolicy on the main storage account is. That might get you what you looking for. https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=bicep

instead I spent the day fighting with Azure - in terms of how to get a service principal to be created, such that it can be used by the rest of the pulumi service + pipeline for keyvault and resource creation and RBAC. Boy it was frustrating.