| title | Actions and attributes for Azure role assignment conditions for Azure Queue Storage |
|---|---|
| titleSuffix | Azure Storage |
| description | Supported actions and attributes for Azure role assignment conditions and Azure attribute-based access control (Azure ABAC) for Azure Queue Storage. |
| services | storage |
| author | pauljewellmsft |
| ms.service | azure-queue-storage |
| ms.topic | concept-article |
| ms.date | 05/09/2023 |
| ms.author | pauljewell |
| ms.reviewer | nachakra |
This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Queue service operations that a specific permission or DataAction affects, see Permissions for Queue service operations.
To understand the role assignment condition format, see Azure role assignment condition format and syntax.
[!INCLUDE storage-abac-preview]
This section lists the supported Azure Queue Storage actions you can target for conditions.
Storage accounts support the following actions:
| Display name | DataAction |
|---|---|
| Peek messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/read |
| Put a message | Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action |
| Put or update a message | Microsoft.Storage/storageAccounts/queueServices/queues/messages/write |
| Clear messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete |
| Get or delete messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action |
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Peek messages Description DataAction for peeking messages. DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/readResource attributes Account name
Queue nameRequest attributes Principal attributes support True
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Put a message Description DataAction for putting a message. DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/actionResource attributes Account name
Queue nameRequest attributes Principal attributes support True
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Put or update a message Description DataAction for putting or updating a message. DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/writeResource attributes Account name
Queue nameRequest attributes Principal attributes support True
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Clear messages Description DataAction for clearing messages. DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/deleteResource attributes Account name
Queue nameRequest attributes Principal attributes support True
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Get or delete messages Description DataAction for getting or deleting messages. DataAction Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/actionResource attributes Account name
Queue nameRequest attributes Principal attributes support True
This section lists the Azure Queue storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across all of the selected actions.
Note
Attributes and values listed are considered case-insensitive, unless stated otherwise.
The following table summarizes the available attributes by source:
| Attribute Source | Display name | Description |
|---|---|---|
| Environment | ||
| Is private link | Whether access is over a private link | |
| Private endpoint | The private endpoint over which an object is accessed | |
| Subnet | The subnet over which an object is accessed | |
| UTC now | The current date and time in Coordinated Universal Time | |
| Resource | ||
| Account name | The storage account name | |
| Queue name | The storage queue name |
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Account name Description Name of a storage account. Attribute Microsoft.Storage/storageAccounts:nameAttribute source Resource Attribute type String Examples @Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount'
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Is private link Description Whether access is over a private link.
Use to require access over any private endpoint.Attribute isPrivateLinkAttribute source Environment Attribute type Boolean Examples @Environment[isPrivateLink] BoolEquals true
Example: Require private link access to read blobs with high sensitivityLearn more Use private endpoints for Azure Storage
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Private endpoint Description The private endpoint over which an object is accessed.
Use to restrict access over a specific private endpoint.
Available only for storage accounts in subscriptions that have at least one private endpoint configured.Attribute Microsoft.Network/privateEndpointsAttribute source Environment Attribute type String Examples @Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1'
Example: Allow read access to a container only from a specific private endpointLearn more Use private endpoints for Azure Storage
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Queue name Description Name of a storage queue. Attribute Microsoft.Storage/storageAccounts/queueServices/queues:nameAttribute source Resource Attribute type String
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Subnet Description The subnet over which an object is accessed.
Use to restrict access to a specific subnet.
Available only for storage accounts in subscriptions that have at least one virtual network subnet configured.Attribute Microsoft.Network/virtualNetworks/subnetsAttribute source Environment Attribute type String Examples @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default'
Example: Allow access to blobs in specific containers from a specific subnetLearn more Subnets
[!div class="mx-tdCol2BreakAll"]
Property Value Display name UTC now Description The current date and time in Coordinated Universal Time.
Use to control access to objects for a specific date and time period.Attribute UtcNowAttribute source Environment Attribute type DateTime
(Only operators DateTimeGreaterThan and DateTimeLessThan are supported for the UTC now attribute.)Examples @Environment[UtcNow] DateTimeGreaterThan '2023-05-01T13:00:00.0Z'
Example: Allow read access to blobs after a specific date and time