Share via

How to enable public access for allowed domains for a storage container blob storage?

Ajay Agarwal 0 Reputation points Microsoft Employee
2024-09-21T17:53:29.4166667+00:00

I have a storage container with a blob storage where I store static assets related to my website.
I have a web app hosted on Azure and I would like to allow direct public access to the storage containers blob storage from my web app. How do I enable the required config for it?

I tried setting it up by allow anonymous access on the blob storage and then setting up CORS only for my website domain. However, this isn't working as expected and instead resulting in the storage container being publicly accessible.

I would want public access to my storage container but only from allowed domains and private for others.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,183 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,876 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 6,796 Reputation points
    2024-09-21T19:16:33.2266667+00:00

    Hi Ajay,

    I understand that you want public access to storage container but only from allowed domains on webapp and private for the rest, I can sugest this configuraiton:

    • Disable Anonymous Access: Ensure that anonymous access is disabled for your storage account to prevent unrestricted public access. Storage Account > Settings > Configuration > Allow Blob public access to Disabled.
    • Set Up CORS (Cross-Origin Resource Sharing): Configure CORS rules to allow requests only from your specific web app domain. This will ensure that only requests from your allowed domains are processed. Storage Account > Settings > Resource sharing (CORS) > Allowed origins: Your web app domain (e.g., https://yourwebsite.com) > Allowed methods: Select the HTTP methods you want to allow (e.g., GET, POST
    • Use Shared Access Signatures (SAS): Generate SAS tokens for your web app to access the blob storage. This way, you can control the permissions and the duration of access. Storage account > Settings > Shared access signature > Configure the SAS token with the necessary permissions (e.g., read, write) and set an expiration time. > Generate the SAS token and use it in your web app to access the blob storage.

    User's imageAdditional references:

    If the information helped address your question, please Accept the answer.

    Luis

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.