Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists some examples of role assignment conditions for controlling access to Azure Queue Storage resources.
Important
Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request, resource, environment, and principal attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.
See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
For information about the prerequisites to add or edit role assignment conditions, see Conditions prerequisites.
Use the following table to quickly locate an example that fits your ABAC scenario. The table includes a brief description of the scenario, plus a list of attributes used in the example by source (environment, principal, request and resource).
| Example | Environment | Principal | Request | Resource |
|---|---|---|---|---|
| Peek or clear messages in a named queue | queue name | |||
| Allow peek access to messages after a specific date and time | UtcNow | queue name | ||
| Allow access to messages in specific queues from a specific subnet | Subnet | queue name | ||
| Principal attributes example | ID |
This section includes examples showing how to restrict access to messages based on queue name.
This condition allows users to peek or clear messages in a queue named sample-queue. This condition is useful for sharing specific queue data with other users in a subscription.
Important
For this condition to be effective for a security principal, you must add it to all role assignments for them that include the following actions: Microsoft.Storage/storageAccounts/queueServices/queues/messages/read and Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs in this article to view the examples for your preferred portal editor.
Select Add action, then select Peek messages and Clear messages:
Use the values in the following table to build the expression portion of the condition:
| Setting | Value |
|---|---|
| Attribute source | Resource |
| Attribute | Queue name |
| Operator | StringEquals |
| Value | {queueName} |
The following image shows the condition after the settings are entered into the Azure portal. You must group expressions to ensure correct evaluation.
This section includes examples showing how to restrict access to queue messages based on the network environment or the current date and time.
This condition allows peek access to the queue sample-queue only after 1:00pm on May 1, 2023 Universal Coordinated Time (UTC).
Important
To make this condition effective for principals that have multiple role assignments, you must add this condition to all role assignments that include the following action: Microsoft.Storage/storageAccounts/queueServices/queues/messages/read.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs below to view the examples for your preferred portal editor.
Select Add action, then select Peek messages:
Use the values in the following table to build the expression portion of the condition:
| Setting | Value |
|---|---|
| Attribute source | Resource |
| Attribute | Queue name |
| Operator | StringEquals |
| Value | {queue-name} |
| Logical operator | 'AND' |
| Attribute source | Environment |
| Attribute | UtcNow |
| Operator | DateTimeGreaterThan |
| Value | 2023-05-01T13:00:00.000Z |
The following image shows the condition after the settings are entered into the Azure portal. You must group expressions to ensure correct evaluation.
This condition allows put or update access to messages in sample-queue only from subnet default on virtual network sample-vnet.
Important
To make this condition effective for principals that have multiple role assignments, you must add this condition to all role assignments that include any of the following actions: Microsoft.Storage/storageAccounts/queueServices/queues/messages/write.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs below to view the examples for your preferred portal editor.
Select Add action, then select Put or update a message:
Use the values in the following table to build the expression portion of the condition:
| Setting | Value |
|---|---|
| Attribute source | Resource |
| Attribute | Queue name |
| Operator | StringEquals |
| Value | container1 |
| Logical operator | 'AND' |
| Attribute source | Environment |
| Attribute | Subnet |
| Operator | StringEqualsIgnoreCase |
| Value | /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/sample-vnet/subnets/default |
The following image shows the condition after the settings are entered into the Azure portal. You must group expressions to ensure correct evaluation.
To see a full example of how to use principal attributes to allow access to blob data, see Allow read access to blobs based on tags and custom security attributes.