Reputation: 2968
How to give permission to deploy to a spesific slot only?
I have a Web App in Azure with deployment slots. Application is placed in ASE. I need a service principal (App registration) in Azure AD that has permission to deploy to only a specific slot, not the whole Web App.
A service principal with "Contributor" role asignment was created for the TEST slot only. This service principal has no access to the whole web app, has no role there.
When deployment to the TEST slot the following error comes up:
az login --service-principal --username XXX-XXX-XXX-XXX-XXX --password ... --tenant XXX-XXX-XXX-XXX-XXX
az webapp deployment source config-zip --resource-group myresgroup --name mywebapp --src archive.zip --slot test
ERROR: AuthorizationFailed - The client 'XXX-XXX-XXX-XXX-XXX' with object id 'XXX-XXX-XXX-XXX-XXX'
does not have authorization to perform action 'Microsoft.Web/sites/publishxml/action'
over scope '/subscriptions/XXX-XXX-XXX-XXX-XXX/resourceGroups/myresgroup/providers/Microsoft.Web/sites/mywebapp'
or the scope is invalid.
If access was recently granted, please refresh your credentials.
Is it possible to give a permission for deployment to a specific slot only?
Upvotes: 2
Views: 4052
Answers (1)
Reputation: 2968
The solution is to define a custom role with permission to only do Microsoft.Web/sites/publishxml/Action.
I called the role Publishing profile reader.
- Create
Publishing profile readerrole at the Web App level.
Publishing profile reader role is copied from the Contributor role, here is JSON definition:
{
"properties": {
"roleName": "Publishing profile reader",
"description": "Role has permission to read website publishing profile.",
"assignableScopes": [
"/subscriptions/xxx-xxx-xxx-xxx/resourceGroups/myresgroup/providers/Microsoft.Web/sites/mywebapp"
],
"permissions": [
{
"actions": [
"Microsoft.Web/sites/publishxml/Action"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
Then assign this custom
Publishing profile readerrole at main Web App to a service principal that is used for slot deployment.Assign
Contributorrole to that service principal at slot level.
Thus this service principal can deploy at a slot, but has no permission for deployment to production.
Upvotes: 1
Related Questions
- Create deployment slot for WebApp in Azure DevOps pipeline
- Trouble with Slot Setting for Azure App Services
- Azure Web App deployment slots web.config
- Azure Deployment Slots - adding permissions to the slot
- Deployment slots on Azure WebApp
- Deployment slots on Web App to different resource groups
- Configure Azure web app deployment slot via Powershell or CLI
- Azure App Service - Setting up Deployment Slots for existing App Service
- Change deployment slot for published API App in Visual Studio
- Using web deploy, how do you publish to a particular slot?