Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Publishing using service principal with contributor access at resource group level fails with 403 response

See original GitHub issue

Version: 3.0.2996 (I’ve tried 2.7.2936 and get the same error)

Using the following command to deploy a python function app (running on a consumption plan) as part of a CI/CD pipeline:

func azure functionapp publish <APPNAME> --publish-local-settings --overwrite-settings --python --force

The following output is returned:

Getting site publishing info...
Response status code does not indicate success: 403 (Forbidden).

I’ve traced the requests using fiddler, and the request that’s returning the 403 response is https://<SITE>.scm.azurewebsites.net/api/settings.

The service principal used has Contributor permissions to the resource group the function app is in. I have double-checked that these permissions are present.

I’m able to replicate this locally by first logging in as the service principal using:

az login --service-principal -u <PRINCIPALID> --password <KEY> --tenant <TENANTID>
func azure functionapp publish <APPNAME> --publish-local-settings --overwrite-settings --python --force

Other Azure CLI commands that work with functions are successful, e.g.: az functionapp keys list -n <APPNAME> -g <RESOURCEGROUP>

If I use az login and login as my own AD account, the publish command works fine.

I’ve tried searching for limitations in the functions CLI that may prevent a service account deploying, but have come up blank so far.

EDIT The call stack for the exception is:

System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
   at Azure.Functions.Cli.Helpers.RetryHelper.Retry(Func`1 func, Int32 retryCount, TimeSpan retryDelay, Boolean displayError) in D:\a\1\s\src\Azure.Functions.Cli\Helpers\RetryHelper.cs:line 27
   at Azure.Functions.Cli.Helpers.KuduLiteDeploymentHelpers.InvokeRequest[T](HttpClient client, HttpMethod method, String url) in D:\a\1\s\src\Azure.Functions.Cli\Helpers\KuduLiteDeploymentHelpers.cs:line 124
   at Azure.Functions.Cli.Helpers.KuduLiteDeploymentHelpers.GetAppSettings(HttpClient client) in D:\a\1\s\src\Azure.Functions.Cli\Helpers\KuduLiteDeploymentHelpers.cs:line 18
   at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.EnsureRemoteBuildIsSupported(Site functionApp) in D:\a\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 681
   at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.HandleLinuxConsumptionPublish(Site functionApp, Func`1 zipFileFactory) in D:\a\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 468
   at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.PublishFunctionApp(Site functionApp, GitIgnoreParser ignoreParser, IDictionary`2 additionalAppSettings) in D:\a\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 314
   at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.RunAsync() in D:\a\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 178
   at Azure.Functions.Cli.ConsoleApp.RunAsync[T](String[] args, IContainer container) in D:\a\1\s\src\Azure.Functions.Cli\ConsoleApp.cs:line 64

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:9

github_iconTop GitHub Comments

2reactions
ArunasFalconcommented, Apr 27, 2022

I stand corrected. It does indeed work if the service principal is directly assigned as contributor on the subscription. We previously had it assigned to a group which was in turn set as contributors on the subscription, that doesn’t work.

1reaction
ArunasFalconcommented, Apr 27, 2022

I’ve run into the same issue. Thanks @mikegoatly for the suggestion to add the SP with contrib at the sub level. In my case it is already assigned there (via a group). I’ll continue testing around…

Read more comments on GitHub >

github_iconTop Results From Across the Web

Failed to check the resource group status: 403 while ...
The error means the service principal used in your Azure DevOps service connection does not have enough permission to perform the action.
Read more >
Troubleshoot Azure RBAC
You're using a service principal to assign roles with Azure CLI and you get the following error: Insufficient privileges to complete the ...
Read more >
Troubleshoot common Azure deployment errors
Error code Mitigation More inform... AccountNameInvalid Follow naming guidelines for storage accounts. Resolve erro... AccountPropertyCannotBeSet Check available storage account properties. storageAcco... AnotherOperationInProgress Wait for concurrent operation...
Read more >
Failed to check the resource group status. Error
I managed to resolve the issue. The problem, turns out, was being caused by invalid service connection settings.After registering my application ...
Read more >
Service Principal considerations when using Azure ...
Azure DevOps service connections, Service Principals and elevated Azure AD privileges required to run specific tasks against Azure.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Use ts-node for Typescript Projects

Next page

Update for compatibility with .NET 5