This document outlines the various methods for controlling access to Azure Queue Storage, ensuring data security and integrity.
Shared key authorization is the simplest method for authenticating access to your storage account. Each storage account has two keys: primary access key and secondary access key. These keys provide full access to all data in the storage account. It is recommended to regenerate keys periodically for security purposes.
Requests to Queue Storage are authenticated by including a signature in the request. The signature is computed from the request's components using your account's access key. You can retrieve your storage account keys from the Azure portal.
To authenticate a request using a shared key, you must construct a canonicalized string from the request elements and then compute an HMAC-SHA256 hash of the canonicalized string, using the storage account's access key as the key. This hash is then base64-encoded and included in the Authorization header of the request.
Authorization: SharedKey <account-name>:<signature>Azure AD provides a more robust and secure way to manage access to Azure Queue Storage. You can grant permissions to users, groups, applications, or managed identities by assigning Azure roles.
Queue Storage supports Azure AD authentication for the Queue data operations using OAuth 2.0 bearer tokens.
The following Azure roles can be assigned to principals for access to queue data:
| Role Name | Permissions | Description |
|---|---|---|
| Storage Queue Data Contributor | Read, Write, Delete | Allows managing queues and their messages. |
| Storage Queue Data Reader | Read | Allows reading queue and message data. |
| Storage Queue Data Message Processor | Peek, Get, Delete Messages | Allows processing messages in queues. |
| Storage Queue Data Sender | Add Message | Allows sending messages to queues. |
Applications can obtain an Azure AD token by authenticating with Azure AD. Once you have a token, you can include it in the Authorization header of your requests to Queue Storage.
using Azure.Identity;
using Azure.Storage.Queues;
// Replace with your queue URL
string queueUrl = "https://your-storage-account.queue.core.windows.net/myqueue";
// Authenticate using DefaultAzureCredential (supports managed identities, service principals, etc.)
var credential = new DefaultAzureCredential();
var queueClient = new QueueClient(new Uri(queueUrl), credential);
// Send a message
await queueClient.SendMessageAsync("Hello, Azure Queue Storage!");
// Peek at a message
var peekedMessage = await queueClient.PeekMessageAsync();
if (peekedMessage.HasValue)
{
Console.WriteLine($"Peeked message: {peekedMessage.Value.MessageText}");
}
A Shared Access Signature (SAS) provides a delegated way to grant limited permissions to access Azure Queue Storage resources without needing to share your account access keys. SAS tokens are typically time-bound and can be configured with specific permissions.
A SAS token is appended to the resource URI. The query parameters specify the access policy and the signature:
https://myaccount.queue.core.windows.net/myqueue?sv=2019-10-10&ss=q&srt=sco&sp=rwdlacupx&se=2023-12-31T12:00:00Z&st=2023-01-01T12:00:00Z&spr=https&sig=aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890ABCDEFGKey components of a SAS token include:
sv: Signed versionss: Signed servicessrt: Signed resource typessp: Signed permissionsse: Expiration date and timest: Start date and timespr: Protocolsig: SignatureUnderstanding and implementing appropriate access control mechanisms is crucial for securing your Azure Queue Storage data.