Forum Discussion

milkmix_'s avatar
milkmix_
Copper Contributor
Dec 11, 2020

Use Microsoft.Azure.Cdn service principal to grant access to private container?

Hello,

 

I'm trying several methods to access a private container within a StorageAccount containing multiple containers (all set to private), just to get a hold of the concepts.

 

In this scenario, I would like to have only one of the containers accessible in order to share images on a public website for example. Generating an access policy for this container only and generating a SAS attached to this policy allows to give access only to this container. SAS can be made public or hidden using rewrite rule in FrontDoor/CDNPremium.

 

Yet, I tried another approach to mimic what's possible on AWS w/ s3+CloudFront: giving CloudFront service principal reading privilege on a bucket:

1. enable Microsoft.Azure.Cdn service principal using GIUD `az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8`

2. assign Storage Blob Data Reader role to my container for this service principal from the Azure Portal

3. trying to access the files through the CDN w/o the SAS: not working 🙂

 

Is this method supposed to work or I'm a missing a step?

 

Best regards

 

Resources