Publishing using service principal with contributor access at resource group level fails with 403 response
See original GitHub issueVersion: 3.0.2996 (I’ve tried 2.7.2936 and get the same error)
Using the following command to deploy a python function app (running on a consumption plan) as part of a CI/CD pipeline:
func azure functionapp publish <APPNAME> --publish-local-settings --overwrite-settings --python --force
The following output is returned:
Getting site publishing info...
Response status code does not indicate success: 403 (Forbidden).
I’ve traced the requests using fiddler, and the request that’s returning the 403 response is https://<SITE>.scm.azurewebsites.net/api/settings
.
The service principal used has Contributor permissions to the resource group the function app is in. I have double-checked that these permissions are present.
I’m able to replicate this locally by first logging in as the service principal using:
az login --service-principal -u <PRINCIPALID> --password <KEY> --tenant <TENANTID>
func azure functionapp publish <APPNAME> --publish-local-settings --overwrite-settings --python --force
Other Azure CLI commands that work with functions are successful, e.g.: az functionapp keys list -n <APPNAME> -g <RESOURCEGROUP>
If I use az login
and login as my own AD account, the publish command works fine.
I’ve tried searching for limitations in the functions CLI that may prevent a service account deploying, but have come up blank so far.
EDIT The call stack for the exception is:
System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
at Azure.Functions.Cli.Helpers.RetryHelper.Retry(Func`1 func, Int32 retryCount, TimeSpan retryDelay, Boolean displayError) in D:\a\1\s\src\Azure.Functions.Cli\Helpers\RetryHelper.cs:line 27
at Azure.Functions.Cli.Helpers.KuduLiteDeploymentHelpers.InvokeRequest[T](HttpClient client, HttpMethod method, String url) in D:\a\1\s\src\Azure.Functions.Cli\Helpers\KuduLiteDeploymentHelpers.cs:line 124
at Azure.Functions.Cli.Helpers.KuduLiteDeploymentHelpers.GetAppSettings(HttpClient client) in D:\a\1\s\src\Azure.Functions.Cli\Helpers\KuduLiteDeploymentHelpers.cs:line 18
at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.EnsureRemoteBuildIsSupported(Site functionApp) in D:\a\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 681
at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.HandleLinuxConsumptionPublish(Site functionApp, Func`1 zipFileFactory) in D:\a\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 468
at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.PublishFunctionApp(Site functionApp, GitIgnoreParser ignoreParser, IDictionary`2 additionalAppSettings) in D:\a\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 314
at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.RunAsync() in D:\a\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 178
at Azure.Functions.Cli.ConsoleApp.RunAsync[T](String[] args, IContainer container) in D:\a\1\s\src\Azure.Functions.Cli\ConsoleApp.cs:line 64
Issue Analytics
- State:
- Created 3 years ago
- Comments:9
Top GitHub Comments
I stand corrected. It does indeed work if the service principal is directly assigned as contributor on the subscription. We previously had it assigned to a group which was in turn set as contributors on the subscription, that doesn’t work.
I’ve run into the same issue. Thanks @mikegoatly for the suggestion to add the SP with contrib at the sub level. In my case it is already assigned there (via a group). I’ll continue testing around…