search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.98k stars 2.96k forks source link

Az Cli in Self Hosted Runner can access Api services with public access disabled #26714

Open rexebin opened 1 year ago

rexebin commented 1 year ago

Describe the bug

  1. self-hosted runner is in a vnet, the vnet has no peering and not linked to any private DNS zones.
  2. app service has a private endpoint and public access enabled. The staging slot does not have a private endpoint but the public access is disabled.
  3. Az cli running in the self-hosted runner, with Managed System Identity authentication, with a contributor role to the resources
  4. the az cli can deploy to the staging slot, which has public access disabled. It should not
  5. the az cli have access to open API json file at /openapi/v3.json endpoint, but it should not, because public access is disabled

When we use Github hosted Runners with OIDC authentication, same contributor role to resources:

  1. we had to open up the SCM endpoint for the staging slot to be able to deploy to the staging slot, or we get 403 Forbidden error.
  2. accessing the same openapi/v3.json returns 403 IP forbidden

We understand why the Github Hosted Runners with OIDC authentication get rejected. But we are puzzled why the self hosted runners with MSI work because the runner's vnet has no relationship.

Related command

Deploy to function staging slot:

            az functionapp deployment source config-zip \
            -n myfunctionname \
            -g myfunctionresourcegroupname \
            --slot staging \
            --src ./release.zip \
            --subscription mysubscription

Import to APIM:

 az apim api import --service-name myapimname \
            --resource-group myapimresourcegroupname \
            --subscription myapimsubscriptionid --api-id api-my-service-name \
            --path /dev/my-service \
            --display-name api-my-service-name  \
            --specification-format OpenApi --subscription-required false \
            --specification-url https://myappservicename.azurewebsites.net/my-service-path/openapi/v3.json

Errors

With self-hosted runner, no errors.

With Github Runner, OIDC authentication, we got errors:

Error for importing APIM:

Failed to import from specified resource https://myservicename.azurewebsites.net/my-service/openapi/v3.json: Response status code does not indicate success: 403 (Ip Forbidden).

Error for deploying to staging slot:

Error 403 - Forbidden

The web app you have attempted to reach has blocked your access.

Issue script & Debug output

same the errors

Expected behavior

Self hosted runner should not have access to public access disabled app service

Or, github runners with OIDC should behave the same way as self hosted runner.

Environment Summary

azure-cli 2.37.0 ubuntu linux 22.04.2

Additional context

No response

azure-client-tools-bot-prd[bot] commented 1 year ago

Hi @rexebin,

2.37.0 is not the latest Azure CLI(2.49.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

rexebin commented 1 year ago

Thank you for opening this issue, we will look into it.

Thank you!

ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adrianhall, @KedarJoshi.

Issue Details
### Describe the bug 1. self-hosted runner is in a vnet, the vnet has no peering and not linked to any private DNS zones. 2. app service has a private endpoint and public access enabled. The staging slot does not have a private endpoint but the public access is disabled. 3. Az cli running in the self-hosted runner, with Managed System Identity authentication, with a contributor role to the resources 4. the az cli can deploy to the staging slot, which has public access disabled. It should not 5. the az cli have access to open API json file at `/openapi/v3.json` endpoint, but it should not, because public access is disabled When we use Github hosted Runners with OIDC authentication, same contributor role to resources: 1. we had to open up the SCM endpoint for the staging slot to be able to deploy to the staging slot, or we get 403 Forbidden error. 2. accessing the same `openapi/v3.json` returns 403 IP forbidden We understand why the Github Hosted Runners with OIDC authentication get rejected. But we are puzzled why the self hosted runners with MSI work because the runner's vnet has no relationship. ### Related command Deploy to function staging slot: ``` az functionapp deployment source config-zip \ -n myfunctionname \ -g myfunctionresourcegroupname \ --slot staging \ --src ./release.zip \ --subscription mysubscription ``` Import to APIM: ``` az apim api import --service-name myapimname \ --resource-group myapimresourcegroupname \ --subscription myapimsubscriptionid --api-id api-my-service-name \ --path /dev/my-service \ --display-name api-my-service-name \ --specification-format OpenApi --subscription-required false \ --specification-url https://myappservicename.azurewebsites.net/my-service-path/openapi/v3.json ``` ### Errors With self-hosted runner, no errors. With Github Runner, OIDC authentication, we got errors: Error for importing APIM: Failed to import from specified resource https://myservicename.azurewebsites.net/my-service/openapi/v3.json: Response status code does not indicate success: 403 (Ip Forbidden). Error for deploying to staging slot:

Error 403 - Forbidden

The web app you have attempted to reach has blocked your access.

### Issue script & Debug output same the errors ### Expected behavior Self hosted runner should not have access to public access disabled app service Or, github runners with OIDC should behave the same way as self hosted runner. ### Environment Summary azure-cli 2.37.0 ubuntu linux 22.04.2 ### Additional context _No response_
Author: rexebin
Assignees: shreyas-gopalakrishna, amamounelsayed, kaibocai, kamperiadis
Labels: `bug`, `Service Attention`, `Functions`, `API Management`, `customer-reported`, `Auto-Assign`, `Auto-Resolve`
Milestone: -
navba-MSFT commented 1 year ago

Adding Service team to look into this.

rexebin commented 1 year ago

Update: Apim import issue is resolved. Running az apim api import only requires the APIM to have access to the app service.

shreyabatra4 commented 1 year ago

@rexebin confirming we can close this issue?

rexebin commented 1 year ago

No, the web app deployment issue is still outstanding.

Thanks!

On Wed, 21 Jun 2023 at 20:30, Shreya Batra @.***> wrote:

@rexebin https://github.com/rexebin confirming we can close this issue?

— Reply to this email directly, view it on GitHub https://github.com/Azure/azure-cli/issues/26714#issuecomment-1601556280, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACTDVB2DW2LRN4TZKTUPLJ3XMNDWLANCNFSM6AAAAAAZNJV7UQ . You are receiving this because you were mentioned.Message ID: @.***>