I'm trying several methods to access a private container within a StorageAccount containing multiple containers (all set to private), just to get a hold of the concepts.
In this scenario, I would like to have only one of the containers accessible in order to share images on a public website for example. Generating an access policy for this container only and generating a SAS attached to this policy allows to give access only to this container. SAS can be made public or hidden using rewrite rule in FrontDoor/CDNPremium.
Yet, I tried another approach to mimic what's possible on AWS w/ s3+CloudFront: giving CloudFront service principal reading privilege on a bucket:
1. enable Microsoft.Azure.Cdn service principal using GIUD `az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8`
2. assign Storage Blob Data Reader role to my container for this service principal from the Azure Portal
3. trying to access the files through the CDN w/o the SAS: not working :)
Is this method supposed to work or I'm a missing a step?