Use Microsoft.Azure.Cdn service principal to grant access to private container?

Occasional Contributor



I'm trying several methods to access a private container within a StorageAccount containing multiple containers (all set to private), just to get a hold of the concepts.


In this scenario, I would like to have only one of the containers accessible in order to share images on a public website for example. Generating an access policy for this container only and generating a SAS attached to this policy allows to give access only to this container. SAS can be made public or hidden using rewrite rule in FrontDoor/CDNPremium.


Yet, I tried another approach to mimic what's possible on AWS w/ s3+CloudFront: giving CloudFront service principal reading privilege on a bucket:

1. enable Microsoft.Azure.Cdn service principal using GIUD `az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8`

2. assign Storage Blob Data Reader role to my container for this service principal from the Azure Portal

3. trying to access the files through the CDN w/o the SAS: not working :)


Is this method supposed to work or I'm a missing a step?


Best regards


0 Replies