Use Microsoft.Azure.Cdn service principal to grant access to private container?

%3CLINGO-SUB%20id%3D%22lingo-sub-1978696%22%20slang%3D%22en-US%22%3EUse%20Microsoft.Azure.Cdn%20service%20principal%20to%20grant%20access%20to%20private%20container%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1978696%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20several%20methods%20to%20access%20a%20private%20container%20within%20a%20StorageAccount%20containing%20multiple%20containers%20(all%20set%20to%20private)%2C%20just%20to%20get%20a%20hold%20of%20the%20concepts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20scenario%2C%20I%20would%20like%20to%20have%20only%20one%20of%20the%20containers%20accessible%20in%20order%20to%20share%20images%20on%20a%20public%20website%20for%20example.%20Generating%20an%20access%20policy%20for%20this%20container%20only%20and%20generating%20a%20SAS%20attached%20to%20this%20policy%20allows%20to%20give%20access%20only%20to%20this%20container.%20SAS%20can%20be%20made%20public%20or%20hidden%20using%20rewrite%20rule%20in%20FrontDoor%2FCDNPremium.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYet%2C%20I%20tried%20another%20approach%20to%20mimic%20what's%20possible%20on%20AWS%20w%2F%20s3%2BCloudFront%3A%20giving%20CloudFront%20service%20principal%20reading%20privilege%20on%20a%20bucket%3A%3C%2FP%3E%3CP%3E1.%20enable%20Microsoft.Azure.Cdn%20service%20principal%20using%20GIUD%20%60az%20ad%20sp%20create%20--id%20205478c0-bd83-4e1b-a9d6-db63a3e1e1c8%60%3C%2FP%3E%3CP%3E2.%20assign%20Storage%20Blob%20Data%20Reader%20role%20to%20my%20container%20for%20this%20service%20principal%20from%20the%20Azure%20Portal%3C%2FP%3E%3CP%3E3.%20trying%20to%20access%20the%20files%20through%20the%20CDN%20w%2Fo%20the%20SAS%3A%20not%20working%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20method%20supposed%20to%20work%20or%20I'm%20a%20missing%20a%20step%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I'm trying several methods to access a private container within a StorageAccount containing multiple containers (all set to private), just to get a hold of the concepts.

 

In this scenario, I would like to have only one of the containers accessible in order to share images on a public website for example. Generating an access policy for this container only and generating a SAS attached to this policy allows to give access only to this container. SAS can be made public or hidden using rewrite rule in FrontDoor/CDNPremium.

 

Yet, I tried another approach to mimic what's possible on AWS w/ s3+CloudFront: giving CloudFront service principal reading privilege on a bucket:

1. enable Microsoft.Azure.Cdn service principal using GIUD `az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8`

2. assign Storage Blob Data Reader role to my container for this service principal from the Azure Portal

3. trying to access the files through the CDN w/o the SAS: not working :)

 

Is this method supposed to work or I'm a missing a step?

 

Best regards

 

0 Replies