-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Webapp:Cannot update config of app service which has setting access restriction by subnet. #14857
Comments
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp. |
webapp |
Is there any update on this? |
Assigning to myself to do repro |
hello @ThejaChoudary please let me know if you need further information to do it. |
@hihorika can you run the command with --debug & share the logs please? it could be that that the API requires specific permissions on the VNET - which the Contributor role doesn't have. the logs will help us narrow down if this is API or CLI |
The debug log which show 403 error is following. I wonder why the cli command returns 403 and a user who has same role can do same operation successfully on Azure portal.
|
There is a difference between REST APIs used by the cli and portal.
It seems that this causes the difference result. |
Hello @panchagnula , @ThejaChoudary I suppose that this issue is caused by both of followings:
I checked both of the payloads with/without Could you please take a look this behavior and let me know why the payload of the cli includes This property is already configured, so I think the payload in the cli doesn't need to contain the property. And our customer doesn't want to add any role for VNET/subnet I would appreciate your help. |
@hihorika in CLI we get the full SitePayload as per the API https://docs.microsoft.com/en-us/rest/api/appservice/webapps/get |
Thanks @panchagnula I will send followins as workaround:
But it doesn't seem reasonable that the SP needs to has the action for the VNET/subnet even though the user doesn't change the network configuration. Do we have a plan to change this behavior in the future, not soon? |
@panchagnula I talked to @madsd and he was going to help take a first pass with all the access restrictions related items. |
…access restriction (#15945) * Let users update webapp config even with webapp access restriction * Added tests
This is autogenerated. Please review and update as needed.
Describe the bug
Command Name
az webapp config set
Errors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az login
using a service principal which has a contributor role of the App Service and doesn't have any role the VNET.az webapp config set --resource-group {} --name {} --always-on {}
Expected Behavior
The final command would be succeeded.
Environment Summary
Additional Context
It is confirmed that this issue happens when executing not only
az webapp config set
but alsoaz webapp config * set
The text was updated successfully, but these errors were encountered: