I wish to connect an an api in Azure API manangement to a storage account container. Within this storage account I wish for the api to only be able to access a specific top-level directory in the container ("myfolder"). I am attempting to implement this using an inbound processing policy, but I'm struggling with finding the relevant documentation.
I imagine this involves triggering a 403 back to the user based on either a string variable containing the relevant header containing the blob name, or based on a boolean based on whether i get a regex match with '^myfolder'
on the blob name header value. Alternatively, if the previous is not possible, modifying the request such that it fails.
Other possible solutions I could see are using check-header but where the allowed values is a check against its regex value, or using validate-headers, but I haven't figured it out yet
Any pointers to a possible solution would be appreciated
You can do something like below using Regex
<inbound>
<base />
<choose>
<when condition="@(System.Text.RegularExpressions.Regex.IsMatch(context.Request.Headers.GetValueOrDefault("x-ms-blob-name", ""), @"^myfolder"))">
<!-- Allow the request to proceed -->
</when>
<otherwise>
<return-response>
<set-status code="403" reason="Forbidden" />
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>
{
"error": "Access to the requested resource is forbidden. You can only access blobs within the 'myfolder' directory."
}
</set-body>
</return-response>
</otherwise>
</choose>
</inbound>
OR like this
<inbound>
<choose>
<when condition="@(context.Request.Headers.GetValueOrDefault("x-ms-blob-name", "").StartsWith("myfolder"))">
<!-- Allow the request to proceed -->
</when>
<otherwise>
<return-response>
<set-status code="403" reason="Forbidden" />
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>
{
"error": "Access to the requested resource is forbidden. You can only access blobs within the 'myfolder' directory."
}
</set-body>
</return-response>
</otherwise>
</choose>