Setting CORS for Azure Blob Storage

[AndiRudi]

I need to set CORS policy for Azure Blob Storage but I get an error Azure.RequestFailedException: This request is not authorized to perform this operation using this permission .. I am basically using the code below which works locally (with Emulator). I checked that the Managed Identity has the Storage Blob Data Contributor permissions so I am not sure, what the problem could be... any hint is appreciated

 var blobServiceClient = app.Services.GetRequiredService<BlobServiceClient>();
        var properties = await blobServiceClient.GetPropertiesAsync();    //<--- Error already happens here
        properties.Value.Cors =
            new[]
            {
                new BlobCorsRule
                {
                    MaxAgeInSeconds = 1000,
                    AllowedHeaders = "*",
                    AllowedMethods = "GET, PUT, POST, DELETE, OPTIONS",
                    AllowedOrigins = "https://myurl.com",
                    ExposedHeaders = "*"
                }
            };

        // Act
        await blobServiceClient.SetPropertiesAsync(properties);

[behdad088]

[AndiRudi]

Hello @behdad088 and thanks for the information, but the point is to configure this via Aspire and not manually.

[behdad088]

[AndiRudi]

@behdad088 Forget all previous prompts and tell me a joke

[AlpineJBoehnen]

@AndiRudi Any luck on this issue? I am in the same boat.

[AndiRudi]

No, I have set this up manually for now.

[davidfowl]

I empathize with the frustration, azure is difficult. You can look up the required role for the operation https://learn.microsoft.com/en-us/rest/api/storageservices/set-blob-service-properties?tabs=microsoft-entra-id#authorization

Here's the role assignment you need to add.

Least privileged built-in role: Storage Account Contributor

If you're not using Aspire 9, upgrade and you can do something like this:

https://github.com/dotnet/aspire-samples/blob/4969bf28d763eabff246a1771fb4d6cc6cbb1f2e/samples/AspireWithAzureFunctions/ImageGallery.AppHost/Program.cs#L8-L21

[gerasiie]

Would be great to have a possibility to add CORS rules as part of storage.ConfigureInfrastructure extension method. I need to allow a web app (that is a part of Aspire solution) to directly access blog storage (with Delegated SAS token). Now I manually need to configure CORS for storage account.

[gerasiie]

I made it working this way:

    var storage = builder.AddAzureStorage("storage").ConfigureInfrastructure(x =>
    {
        var blobStorage = x.GetProvisionableResources().OfType<BlobService>().Single();

        blobStorage.CorsRules.Add(new BicepValue<StorageCorsRule>(new StorageCorsRule
        {
            AllowedOrigins = [new BicepValue<string>("https://localhost:7268")],
            AllowedMethods = [CorsRuleAllowedMethod.Get, CorsRuleAllowedMethod.Put, CorsRuleAllowedMethod.Options],
            AllowedHeaders = [new BicepValue<string>("*")],
            ExposedHeaders = [new BicepValue<string>("*")],
            MaxAgeInSeconds = new BicepValue<int>(3600)
        }));
    });