Basically I'm trying to implement with Azure the following AWS pattern:
How it this possible with Azure?
On
Allow this role to access a certain container (AWS bucket equivalent) as read only and download from there.
For now, Azure does not support AD-based authentication or ACLs.
As a workaround, we can use shared access signatures (SAS).
A shared access signature (SAS) provides you with a way to grant limited access to objects in your storage account to other clients, without exposing your account key.
More information about Azure SAS, please refer to this link.
On
You can do this in Preview with "Managed Service Identity" (MSI)
Linux doc here: https://learn.microsoft.com/en-us/azure/active-directory/msi-tutorial-linux-vm-access-storage
Windows doc here: https://learn.microsoft.com/en-us/azure/active-directory/msi-tutorial-windows-vm-access-storage
The equivalent to IAM in AWS to Azure is Role-Based Access Control .
You can use Role-Based Access Control to manage access to your Azure subscription resources.
Also if you wish you can create custom roles you can refer this, Creating custom roles for Azure Role-Based Access Control.
You can refer this for custom user roles, Assign custom roles for internal and external users