Azure DevOps - Failed to fetch App Service. The client does not have authorization to perform action 'Microsoft.Web/sites/read'

Question

I have an Azure DevOps pipeline that is using the task AzureFunctionApp@1 to deploy a function app.

The pipeline is using a Service Connection with a principal called devops-intg-nurseryfees-nonprod. If I check the IAM blade for the resource group of the function app, I can see that the principal has a Current role assignment of a custom role that contains an action of Microsoft.Web/sites/*

However, when the devops task runs, I get the following error:

Failed to fetch App Service 'func-nurseryFees-dev-001' details. Error: The client 'svc-principal-guid' with object id 'svc-principal-guid' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/subscription-guid/resourceGroups/rg-nurseryFees-dev-001/providers/Microsoft.Web/sites/func-nurseryFees-dev-001' or the scope is invalid. If access was recently granted, please refresh your credentials. (CODE: 403)

Any ideas?

Answer 1

The error message gave two possible causes. I'd focused on the 1st, does not have auth but it turned out the problem was "the scope is invalid".

There was a typo in the name of the resource group.

Note, the "true" scope string of a function app can be found in the Azure portal by clicking the "JSON View" link in the top-right of the overview page: