Closed michvllni closed 1 year ago
Thank you for your feedback. This has been routed to the support team for assistance.
FYI - I was able to work around this issue by using a separate service principal instead of the system assigned managed identity in the function app.
However, the issue still persists with the system assigned managed identity. It also appears to happen with other CMDLets regarding the AzWebApp, for example Get-AzWebApp
.
Assigning to Functions team for analysis. cc- @fabiocav
Hello @panchagnula -- You're team owns the Az.Websites cmdlets, I am assigning this issue to you for triage.
will take a look
@Kotasudhakarreddy -- Could you please move this to the Az.WebSites cmdlets issues? Thanks.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @antcp, @AzureAppServiceCLI.
Author: | michvllni |
---|---|
Assignees: | Kotasudhakarreddy |
Labels: | `App Services`, `Service Attention`, `bug`, `customer-reported` |
Milestone: | - |
Removing CXP attention and adding service attention label.
@michvllni This is failing with the authorization issue. The same information can be found in the error response content linked above. This issue is nothing to handle in the Publish-AzWebApp
cmdlet. It is something related to the permissions scope. Find the details below FYR
Content message:
{"error":{"code":"AuthorizationFailed","message":"The client '[system assigned managed identity of 1]' with object id '[system assigned managed identity of 1]' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/XXX/resourceGroups/[rg of 2]/providers/Microsoft.Web/sites/[name of 2]/config/publishingcredentials' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
@Kotasudhakarreddy if it is a permission issue: Why does it work if I invoke the trigger from my local powershell but not from a different azure function? If it was a permission issue both would fail the same as both used the same key to access the azure function
@michvllni could you please share the debug logs from your local PowerShell, for further investigation.
closing due to lack of response. Please file a new issue if this is still a problem.
@Kotasudhakarreddy What output exactly do you need? When running the Request from a local powershell with something like Invoke-WebRequest -Uri "MyAppServiceUri" -Body "MyAppServiceBody" -Header "MyAppServiceHeader"
it works without any errors. It only fails when calling the function in exactly the same way from another azure function app
Description
We have a function app (1) that has a system assigned managed identity. This managed identity has the website contributor RBAC role on an app service (2).
1 has an HTTP Trigger that, after receiving information on what to publish, uses Publish-AzWebApp to publish a zip to an azure app service (in this case 2, but for testing I've also created a test function app that only calls 1, same effect).
When calling 1 and telling it via HTTP request to publish an app to 2, it works perfectly well. However, as soon as the HTTP of 1 trigger gets called not from a local machine but from an azure machine, for example 2, (the HTTP Request is exactly the same), the Publish-AzWebApp command fails with the error "The client '[system assigned managed identity of 1]' with object id '[xxx]' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/[xxx]/resourceGroups/[resource group of 2]/providers/Microsoft.Web/sites/[name of 2].azurewebsites.net/config/publishingcredentials' or the scope is invalid."
Very simplified the HTTP trigger of 1 looks like this:
Issue script & Debug output
Environment data
Module versions
Error output