I’ve set up Azure Blob Storage container and connected with Azure CDN with Microsoft, and I’m trying to access blobs from my IP address through the CDN. However, I keep encountering an “AuthorizationFailure” error. Here are the steps I’ve taken: System Managed Identity Permissions: I granted the “Storage Blob Data Reader” role to the system managed identity of Azure CDN from Microsoft. The role is assigned at the container level (no role assignment on the storage account). CORS Rules: I configured CORS rules in the Azure CDN rules engine to allow requests from my domain and it's subdomains, or my IP Address only Error Message : When accessing the blobs, I receive the following error: <Error><script Troubleshooting Steps Taken : Verified system managed identity association with Azure CDN. Ensured the container permissions match the blob location. Checked CORS rules (although they shouldn’t directly impact system managed identity access). Verified network accessibility between CDN and storage. Next Steps : What else should I check to resolve this issue?

Hi, For a quick testing, enable the firewall and network rules as follows to enable from any network If it works, you can add a firewall exception on the storage with the IP of the app service and by enabling the access from trusted networks as below

Troubleshooting “AuthorizationFailure” Error When Accessing Azure Blob Storage from Azure CDN

Accepted answer

Manu Philip 18,671 Reputation points MVP

2024-07-16T07:38:29.49+00:00

Hi,

For a quick testing, enable the firewall and network rules as follows to enable from any network

If it works, you can add a firewall exception on the storage with the IP of the app service and by enabling the access from trusted networks as below
Please sign in to rate this answer.
Yash 25 Reputation points

2024-07-16T08:05:07.07+00:00

Ah this works, thanks

Can you please help me with 2 more questions, i.e.

if I already given the Storage Blob Data Reader access to Azure CDN, then why do I need to provide the IP access also?

This CDN is getting used to images in my public website, which can be accessed by anyone over the internet, so do I need to provide blob storage access to all the IPs or since the CDN has cached blobs so it can serve to any user over the internet from my domain(due to CORS restriction)?

Manu Philip 18,671 Reputation points MVP

2024-07-16T09:24:49.34+00:00

Glad to hear that the answer helped you ! please click Accept answer so that it can help others in the community looking for help on similar topics.

Manu Philip 18,671 Reputation points MVP

2024-07-16T09:30:11.5033333+00:00

Here are my responses to your further questions

Even though you have provided the authentication, authorization at the network/firewall level was missing. So, both authentication and authorization to be provided for the successful access of any resources

If your data should be publicly available, you should explicitly allow anonymous access to the blob storage. For this, Go to Settings → Configuration section, Set the Blob public access to Enabled and click "Save":

Yash 25 Reputation points

2024-07-16T10:44:12.11+00:00

First point makes sense

For the second point, just to avoid any confusion for the community, to read the data using CDN, one doesn't need to make the blob storage publicly accessible, just the CDN network should be allowed to access the blob, then CDN caches the blob, and now blob can be accessed from any of the network. I have tested this

Thanks @Manu Philip for helping me to resolve the issue

Manu Philip 18,671 Reputation points MVP

2024-07-16T11:05:00.3733333+00:00

Yash, thanks for testing and clarifying the case !
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Troubleshooting “AuthorizationFailure” Error When Accessing Azure Blob Storage from Azure CDN

0 additional answers

Your answer