Resolving Access Issues: Azure Function App Proxy with Private Blob Container - Need Configuration Guidance

Jose Augusto Baltazar 0 Reputation points
2024-12-18T03:31:21.31+00:00

I'm seeking advice on how to configure my Azure Function App to properly authorize users and direct them to a Static Web App hosted in a private Blob Container. The goal is to ensure seamless access without enabling public access on the Blob Container.

Scenario Overview:

  • Setup: A Function App serves as a proxy for a Static Web App stored in a Blob Container.
  • Blob Configuration: The Blob Container is set to private access.

What Works:

  • With public access enabled on the Blob Container, everything functions correctly.
  • Authentication and App Registration have been configured and work flawlessly.

The Problem:

  • When public access to the Blob Container is disabled, the setup fails, returning a "resource not found" error.

Efforts Taken So Far:

  • Configured Managed Identity for the Function App and granted necessary permissions to the Blob Container.
  • Confirmed the proxy functions correctly with public access enabled.

Current Behavior:

  • Public Access Enabled: Everything works fine.
  • Public Access Disabled: Access fails with the error "resource not found."

Key Questions:

  1. Do I need additional configurations in the proxy definition file?
  2. Should I implement a private endpoint or another specific setting to address this issue?

Additional Notes:

I haven't configured a private endpoint yet but am considering it. My expectation was that Managed Identity permissions would suffice, but it seems something more is needed.

Request:

Any guidance or suggestions on how to resolve this issue would be greatly appreciated!

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,259 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,004 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
1,025 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Amrinder Singh 5,555 Reputation points Microsoft Employee
    2024-12-18T05:48:52.3366667+00:00

    Hi Jose Augusto Baltazar - Thanks for reaching out over Q&A Forum.

    Based on the details provided, yes if the access level of the container is set to private, you need to pass some valid auth in order to access the blob else it would result into error.

    Now, there is access level which is also controlled on the account level as well apart from the container one which will tend to overwrite what's there on the container level. Kindly review that once.

    https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal

    Further you mentioned that you are leveraging MI however in that case, it should ideally with RBAC permissions provided you have Reader on the Management Plane and Storage Blob Data Reader on the Data plane provided. To verify what's the auth getting passed, I would suggest enabling logging which shall tend to point the same such as SAS, Access Key, OAUTH (AD)

    https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

    Lastly, I am assuming currently there are no networking level restriction on the account level.

    Hope that helps!

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.