Dec 11 2020 12:17 AM - edited Dec 13 2020 02:25 AM
Hello,
I'm trying several methods to access a private container within a StorageAccount containing multiple containers (all set to private), just to get a hold of the concepts.
In this scenario, I would like to have only one of the containers accessible in order to share images on a public website for example. Generating an access policy for this container only and generating a SAS attached to this policy allows to give access only to this container. SAS can be made public or hidden using rewrite rule in FrontDoor/CDNPremium.
Yet, I tried another approach to mimic what's possible on AWS w/ s3+CloudFront: giving CloudFront service principal reading privilege on a bucket:
1. enable Microsoft.Azure.Cdn service principal using GIUD `az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8`
2. assign Storage Blob Data Reader role to my container for this service principal from the Azure Portal
3. trying to access the files through the CDN w/o the SAS: not working :)
Is this method supposed to work or I'm a missing a step?
Best regards
Apr 06 2023 07:16 AM
@milkmix_ Hi, did you manage to solve this? I am in the same situation :\
Apr 08 2023 08:03 PM
How about considering managed identities?
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Apr 10 2023 06:43 AM - edited Apr 10 2023 06:43 AM
@Kidd_Ip I tried this but nothing. Created a User Assigned Identity and assigned it to CDN. On the blob storage side, I gave Owner and Bob read/write permissions to that User Assigned Identity. Very strange and kinda weird there are no clear instructions for this.
Apr 10 2023 10:06 AM