I am searching for a way to create a SAS token with fine-grained control for each operation (GET, WRITE, LIST, etc.) and restrict based on IP.
Use case:
I want to enable everyone outside our organisation to LIST and GET files from our azure blob storage, but only people within our organisation (IP Range) should be allowed to WRITE and DELETE files. All with the same SAS token.
I am aware that azure SAS token can be restricted to IP ranges but as I've outlined in my use case this would not be sufficient. I am also aware of this being possible with AWS S3 and policies which are attached to a IAM user or delegated access role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictIP",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [...],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"21.21.21.0/24"
]
}
}
},
{
"Sid": "Allow",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [...]
}
]
}
Is there some similar functionality in Azure that I am overlooking? Or would a different non-SAS token approach be better suited for my use-case?