Allow SASKey generation without revealing storage keys
I would like to be able to allow authorized users to generate SAS keys but not see (list) the storage account primary (master) keys. If someone is in possession of a master key, you cannot stop data exfiltration (until you become aware and change the keys). As least with an SAS key, the act of creating it can be detected (e.g., if they create an SAS token without a proper IP address restriction, etc.). Furthermore, the act of creating an SAS key is logged in the Azure Activity log.
So I would like to suggest defining a new RBAC action Microsoft.Storage/storageAccounts/createSas/action which would allow a user to generate a SAS key but not see the storage primary keys. Having this permission would also allow users to still create and access data in storage accounts without needing the Microsoft.Storage/storageAccounts/listkeys/action permission. (since they technically have access via SAS keys anyway).