Access Azure Blob using external access token with additional policy
I have a workload that is running outside of Azure. The workload requires a blob stored in Azure in order to run.
The workload can provide a custom token that follows OIDC Protocol (contains iss, sub, aud, exp etc.). The token also contains custom claims in the JWT.
I need to write policy in Azure to allow the workload access to the blob based on certain fields in the token (iss, aud etc.) as well as based on certain custom claims.
Where should I be looking to achieve this workflow? Are there any tutorials for me to look into. I’ve looked into Workload Identity Federation which seems to be a good fit but the policy piece from there is not obvious - https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation and user-assigned managed identity as well as Azure Policy.