Actions and attributes for Azure role assignment conditions for Azure Queue Storage

This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Queue service operations that a specific permission or DataAction affects, see Permissions for Queue service operations.

To understand the role assignment condition format, see Azure role assignment condition format and syntax.

Important

Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request, resource, environment, and principal attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.

See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Azure Queue Storage actions

This section lists the supported Azure Queue Storage actions you can target for conditions.

Storage accounts support the following actions:

Display name DataAction
Peek messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
Put a message Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action
Put or update a message Microsoft.Storage/storageAccounts/queueServices/queues/messages/write
Clear messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete
Get or delete messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action

Peek messages

Property Value
Display name Peek messages
Description DataAction for peeking messages.
DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
Resource attributes Account name
Queue name
Request attributes
Principal attributes support True

Put a message

Property Value
Display name Put a message
Description DataAction for putting a message.
DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action
Resource attributes Account name
Queue name
Request attributes
Principal attributes support True

Put or update a message

Property Value
Display name Put or update a message
Description DataAction for putting or updating a message.
DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/write
Resource attributes Account name
Queue name
Request attributes
Principal attributes support True

Clear messages

Property Value
Display name Clear messages
Description DataAction for clearing messages.
DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete
Resource attributes Account name
Queue name
Request attributes
Principal attributes support True

Get or delete messages

Property Value
Display name Get or delete messages
Description DataAction for getting or deleting messages.
DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action
Resource attributes Account name
Queue name
Request attributes
Principal attributes support True

Azure Queues Storage attributes

This section lists the Azure Queue storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across all of the selected actions.

Note

Attributes and values listed are considered case-insensitive, unless stated otherwise.

The following table summarizes the available attributes by source:

Attribute Source Display name Description
Environment
Is private link Whether access is over a private link
Private endpoint The private endpoint over which an object is accessed
Subnet The subnet over which an object is accessed
UTC now The current date and time in Coordinated Universal Time
Resource
Account name The storage account name
Queue name The storage queue name

Account name

Property Value
Display name Account name
Description Name of a storage account.
Attribute Microsoft.Storage/storageAccounts:name
Attribute source Resource
Attribute type String
Examples @Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount'
Property Value
Display name Is private link
Description Whether access is over a private link.
Use to require access over any private endpoint.
Attribute isPrivateLink
Attribute source Environment
Attribute type Boolean
Examples @Environment[isPrivateLink] BoolEquals true
Example: Require private link access to read blobs with high sensitivity
Learn more Use private endpoints for Azure Storage

Private endpoint

Property Value
Display name Private endpoint
Description The private endpoint over which an object is accessed.
Use to restrict access over a specific private endpoint.
Available only for storage accounts in subscriptions that have at least one private endpoint configured.
Attribute Microsoft.Network/privateEndpoints
Attribute source Environment
Attribute type String
Examples @Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1'
Example: Allow read access to a container only from a specific private endpoint
Learn more Use private endpoints for Azure Storage

Queue name

Property Value
Display name Queue name
Description Name of a storage queue.
Attribute Microsoft.Storage/storageAccounts/queueServices/queues:name
Attribute source Resource
Attribute type String

Subnet

Property Value
Display name Subnet
Description The subnet over which an object is accessed.
Use to restrict access to a specific subnet.
Available only for storage accounts in subscriptions that have at least one virtual network subnet configured.
Attribute Microsoft.Network/virtualNetworks/subnets
Attribute source Environment
Attribute type String
Examples @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default'
Example: Allow access to blobs in specific containers from a specific subnet
Learn more Subnets

UTC now

Property Value
Display name UTC now
Description The current date and time in Coordinated Universal Time.
Use to control access to objects for a specific date and time period.
Attribute UtcNow
Attribute source Environment
Attribute type DateTime
(Only operators DateTimeGreaterThan and DateTimeLessThan are supported for the UTC now attribute.)
Examples @Environment[UtcNow] DateTimeGreaterThan '2023-05-01T13:00:00.0Z'
Example: Allow read access to blobs after a specific date and time

See also