Use Microsoft.Azure.Cdn service principal to grant access to private container?

Copper Contributor



I'm trying several methods to access a private container within a StorageAccount containing multiple containers (all set to private), just to get a hold of the concepts.


In this scenario, I would like to have only one of the containers accessible in order to share images on a public website for example. Generating an access policy for this container only and generating a SAS attached to this policy allows to give access only to this container. SAS can be made public or hidden using rewrite rule in FrontDoor/CDNPremium.


Yet, I tried another approach to mimic what's possible on AWS w/ s3+CloudFront: giving CloudFront service principal reading privilege on a bucket:

1. enable Microsoft.Azure.Cdn service principal using GIUD `az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8`

2. assign Storage Blob Data Reader role to my container for this service principal from the Azure Portal

3. trying to access the files through the CDN w/o the SAS: not working :)


Is this method supposed to work or I'm a missing a step?


Best regards


4 Replies

@milkmix_ Hi, did you manage to solve this? I am in the same situation :\ 

@Kidd_Ip I tried this but nothing. Created a User Assigned Identity and assigned it to CDN. On the blob storage side, I gave Owner and Bob read/write permissions to that User Assigned Identity.  Very strange and kinda weird there are no clear instructions for this. 

I solved it adding to the private Blob storage, in the Network section with no public access expect for specific IPs, the IP of the CDN. You can find all Azure IPs in this file and I used Hope this helps someone