Actions and attributes for Azure role assignment conditions for Azure Queue Storage
This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Queue service operations that a specific permission or DataAction affects, see Permissions for Queue service operations.
To understand the role assignment condition format, see Azure role assignment condition format and syntax.
Important
Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request
, resource
, environment
, and principal
attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.
See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Azure Queue Storage actions
This section lists the supported Azure Queue Storage actions you can target for conditions.
Storage accounts support the following actions:
Display name | DataAction |
---|---|
Peek messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/read |
Put a message | Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action |
Put or update a message | Microsoft.Storage/storageAccounts/queueServices/queues/messages/write |
Clear messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete |
Get or delete messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action |
Peek messages
Property | Value |
---|---|
Display name | Peek messages |
Description | DataAction for peeking messages. |
DataAction | Microsoft.Storage/storageAccounts/queueServices/queues/messages/read |
Resource attributes | Account name Queue name |
Request attributes | |
Principal attributes support | True |
Put a message
Property | Value |
---|---|
Display name | Put a message |
Description | DataAction for putting a message. |
DataAction | Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action |
Resource attributes | Account name Queue name |
Request attributes | |
Principal attributes support | True |
Put or update a message
Property | Value |
---|---|
Display name | Put or update a message |
Description | DataAction for putting or updating a message. |
DataAction | Microsoft.Storage/storageAccounts/queueServices/queues/messages/write |
Resource attributes | Account name Queue name |
Request attributes | |
Principal attributes support | True |
Clear messages
Property | Value |
---|---|
Display name | Clear messages |
Description | DataAction for clearing messages. |
DataAction | Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete |
Resource attributes | Account name Queue name |
Request attributes | |
Principal attributes support | True |
Get or delete messages
Property | Value |
---|---|
Display name | Get or delete messages |
Description | DataAction for getting or deleting messages. |
DataAction | Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action |
Resource attributes | Account name Queue name |
Request attributes | |
Principal attributes support | True |
Azure Queues Storage attributes
This section lists the Azure Queue storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across all of the selected actions.
Note
Attributes and values listed are considered case-insensitive, unless stated otherwise.
The following table summarizes the available attributes by source:
Attribute Source | Display name | Description |
---|---|---|
Environment | ||
Is private link | Whether access is over a private link | |
Private endpoint | The private endpoint over which an object is accessed | |
Subnet | The subnet over which an object is accessed | |
UTC now | The current date and time in Coordinated Universal Time | |
Resource | ||
Account name | The storage account name | |
Queue name | The storage queue name |
Account name
Property | Value |
---|---|
Display name | Account name |
Description | Name of a storage account. |
Attribute | Microsoft.Storage/storageAccounts:name |
Attribute source | Resource |
Attribute type | String |
Examples | @Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount' |
Is private link
Property | Value |
---|---|
Display name | Is private link |
Description | Whether access is over a private link. Use to require access over any private endpoint. |
Attribute | isPrivateLink |
Attribute source | Environment |
Attribute type | Boolean |
Examples | @Environment[isPrivateLink] BoolEquals true Example: Require private link access to read blobs with high sensitivity |
Learn more | Use private endpoints for Azure Storage |
Private endpoint
Property | Value |
---|---|
Display name | Private endpoint |
Description | The private endpoint over which an object is accessed. Use to restrict access over a specific private endpoint. Available only for storage accounts in subscriptions that have at least one private endpoint configured. |
Attribute | Microsoft.Network/privateEndpoints |
Attribute source | Environment |
Attribute type | String |
Examples | @Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1' Example: Allow read access to a container only from a specific private endpoint |
Learn more | Use private endpoints for Azure Storage |
Queue name
Property | Value |
---|---|
Display name | Queue name |
Description | Name of a storage queue. |
Attribute | Microsoft.Storage/storageAccounts/queueServices/queues:name |
Attribute source | Resource |
Attribute type | String |
Subnet
Property | Value |
---|---|
Display name | Subnet |
Description | The subnet over which an object is accessed. Use to restrict access to a specific subnet. Available only for storage accounts in subscriptions that have at least one virtual network subnet configured. |
Attribute | Microsoft.Network/virtualNetworks/subnets |
Attribute source | Environment |
Attribute type | String |
Examples | @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default' Example: Allow access to blobs in specific containers from a specific subnet |
Learn more | Subnets |
UTC now
Property | Value |
---|---|
Display name | UTC now |
Description | The current date and time in Coordinated Universal Time. Use to control access to objects for a specific date and time period. |
Attribute | UtcNow |
Attribute source | Environment |
Attribute type | DateTime (Only operators DateTimeGreaterThan and DateTimeLessThan are supported for the UTC now attribute.) |
Examples | @Environment[UtcNow] DateTimeGreaterThan '2023-05-01T13:00:00.0Z' Example: Allow read access to blobs after a specific date and time |