I want to add users to a subscription and give them the ability to read storage account keys on a single storage account only. I can't find a subscription role that lets them log in, without seeing ALL storage accounts or seeing all resources. What role/IAM configuration should I use to accomplish this?
You need to create a custom role with ListKey permission and then create on a role assignment on that specific storage account resource.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
If this is a classic storage account, the action would be microsoft.classicstorage/storageaccounts/listkeys/action.
If this is an ARM based v2 storage account, the action would be microsoft.storage/storageaccounts/listkeys/action.