Azure Queue Storage - SAS permissions without delete

Question

I have a storage-account used by multiple users. The access should be limited by a SAS-Token. The client needs the rights to confirm that his message is delivered and processed. He isn't allowed to update or delete the messages.

Which permissions do I need to set for my SAS-Token?

As far as I know it should be "Read", "Write" and "Add"?, but for reading messages "Process" is needed, which includes deletes.

Answer 1

See whether permissions setting above is eligible for your requirement.

For queue messages, Read permission allows us to Peek messages(the example is to get one next message, we can also use queue.PeekMessages to peek all messages in queue), we don't need Process permission.

Add permission lets us to add messages in queue(queue.AddMessage). As for the Write Permission, it's to create new queues. If you want grant this permission, also click on Container of Allowed resource types.