Azure Storage - Restrict IP in SAS when using Stored Access Policy

Question

In Azure Storage Accounts, I've started using the SAS (Shared Access Signature) and SAP (Stored Access Policy) to secure access to specific queues in Azure Storage Queues.

What I'd like to achieve is restricting specific IP's to specific queues (1.1.1.1 can access queueA but 2.2.2.2 can't).

Currently I've seen I can use the Storage Account level SAS to restrict IP's, as well as set restrictions in the Networking section of the Portal. These don't quite cut it.

(I am aware of the following question, but wasn't satisfied with the responses, which say to try setting the Networking of the Storage Account - Is it possible to filtre on IP address for Azure STORAGE SAS with ACCESS POLICY?)

Thanks

Answer 1

You can use code to create a service SAS token for that queue(for example, the queue named queueA), then associate it with Stored Access Policy.

For example(please modify the code to meet your need):

        QueueClient queueClient = new QueueClient(connectionString, "queueA");

        //create a service SAS 
        QueueSasBuilder sasBuilder = new QueueSasBuilder()
        {
            QueueName = "queueA",

            //set the ip here
            IPRange = new SasIPRange(IPAddress.Parse("172.16.0.1"))
        };

        //associate the service SAS with the Stored Access Policy
        sasBuilder.Identifier = storedPolicyName;

        //then you can use this uri with sas token to operate this queue
        Uri sasUri = queueClient.GenerateSasUri(sasBuilder);

For more details, you can refer to this article(it's for blob storage, but you can easy to modify it for queue storage).