Forum Discussion
Use Microsoft.Azure.Cdn service principal to grant access to private container?
Hello,
I'm trying several methods to access a private container within a StorageAccount containing multiple containers (all set to private), just to get a hold of the concepts.
In this scenario, I would like to have only one of the containers accessible in order to share images on a public website for example. Generating an access policy for this container only and generating a SAS attached to this policy allows to give access only to this container. SAS can be made public or hidden using rewrite rule in FrontDoor/CDNPremium.
Yet, I tried another approach to mimic what's possible on AWS w/ s3+CloudFront: giving CloudFront service principal reading privilege on a bucket:
1. enable Microsoft.Azure.Cdn service principal using GIUD `az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8`
2. assign Storage Blob Data Reader role to my container for this service principal from the Azure Portal
3. trying to access the files through the CDN w/o the SAS: not working 🙂
Is this method supposed to work or I'm a missing a step?
Best regards
How about considering managed identities?
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- angielebaCopper ContributorI solved it adding to the private Blob storage, in the Network section with no public access expect for specific IPs, the IP of the CDN. You can find all Azure IPs in this file https://www.microsoft.com/en-us/download/details.aspx?id=56519 and I used 147.243.0.0/16. Hope this helps someone