cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use Microsoft.Azure.Cdn service principal to grant access to private container?

milkmix_
Copper Contributor

‎Dec 11 2020 12:17 AM - edited ‎Dec 13 2020 02:25 AM

‎Dec 11 2020 12:17 AM - edited ‎Dec 13 2020 02:25 AM

Use Microsoft.Azure.Cdn service principal to grant access to private container?

Hello,

 

I'm trying several methods to access a private container within a StorageAccount containing multiple containers (all set to private), just to get a hold of the concepts.

 

In this scenario, I would like to have only one of the containers accessible in order to share images on a public website for example. Generating an access policy for this container only and generating a SAS attached to this policy allows to give access only to this container. SAS can be made public or hidden using rewrite rule in FrontDoor/CDNPremium.

 

Yet, I tried another approach to mimic what's possible on AWS w/ s3+CloudFront: giving CloudFront service principal reading privilege on a bucket:

1. enable Microsoft.Azure.Cdn service principal using GIUD `az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8`

2. assign Storage Blob Data Reader role to my container for this service principal from the Azure Portal

3. trying to access the files through the CDN w/o the SAS: not working :)

 

Is this method supposed to work or I'm a missing a step?

 

Best regards

 

2,400 Views
0 Likes
4 Replies
Reply
4 Replies
angieleba

‎Apr 06 2023 07:16 AM

‎Apr 06 2023 07:16 AM

Re: Use Microsoft.Azure.Cdn service principal to grant access to private container?

@milkmix_ Hi, did you manage to solve this? I am in the same situation :\ 

0 Likes
Reply
angieleba

‎Apr 10 2023 06:43 AM - edited ‎Apr 10 2023 06:43 AM

‎Apr 10 2023 06:43 AM - edited ‎Apr 10 2023 06:43 AM

Re: Use Microsoft.Azure.Cdn service principal to grant access to private container?

@Kidd_Ip I tried this but nothing. Created a User Assigned Identity and assigned it to CDN. On the blob storage side, I gave Owner and Bob read/write permissions to that User Assigned Identity.  Very strange and kinda weird there are no clear instructions for this. 

0 Likes
Reply
angieleba

‎Apr 10 2023 10:06 AM

‎Apr 10 2023 10:06 AM

Re: Use Microsoft.Azure.Cdn service principal to grant access to private container?

I solved it adding to the private Blob storage, in the Network section with no public access expect for specific IPs, the IP of the CDN. You can find all Azure IPs in this file https://www.microsoft.com/en-us/download/details.aspx?id=56519 and I used 147.243.0.0/16. Hope this helps someone
0 Likes
Reply