1

I have configured an Azure Web App with a private endpoint and want to deploy to it using Azure DevOps. I have found this possibility using Azure Blob storage and Azure CLI: https://azure.github.io/AppService/2021/03/01/deploying-to-network-secured-sites-2.html

The following Azure CLI webapp deploy command:

az webapp deploy --name $WEBAPP --resource-group $GROUP --type zip --src-url  $ZIP_URL --async false

However gives the following Http 403 error: The web app you have attempted to reach has blocked your access.

I am using a service principal to login.

Any clues what I am missing here?

Improve this question
9
  • Does the service principal have the right rights to deploy to this web app? Commented Mar 21, 2022 at 13:45
  • What rights would be needed? Commented Mar 21, 2022 at 13:51
  • (it currently has Contributor rights) Commented Mar 21, 2022 at 13:57
  • Contributor should be good. Everything else is setup correctly? You're logged in with the correct service principal? What happens when you try this method of deploying the web app from your machine? Commented Mar 21, 2022 at 14:20
  • I would use the build-in Azure web app task that is provided from Azure DevOps. You will connect your subscription and you will select your web app. Then the only thing that you will need to specify is the .zip location. - task: AzureWebApp@1 Commented Mar 21, 2022 at 14:56

3 Answers 3

Reset to default
3

I had the same problem and opened a Microsoft Support ticket. That was the answer: There is a problem with "az webapp deploy --src-url": It actually doesn't go via ARM API, but directly to the scm endpoint of the web-app (which is blocked due to private endpoint setup).

az webapp deploy not going via ARM proxy

There is a bug reported to fix this: https://github.com/Azure/azure-cli/issues/21168

The solution in the meantime is not to use Azure cli command "az webapp deploy", but to call the ARM API directly. In your case its something like this:

az rest --method PUT --uri https://management.azure.com/subscriptions/${SUBSCRIPTIONID}/resourceGroups/${RESOURCEGROUP}/providers/Microsoft.Web/sites/${WEBAPP}/extensions/onedeploy?api-version=2022-03-01 --body '{"properties": {"type": "zip", "packageUri": ${ARTIFACTURL} }}'

rest particulary uses ARM proxy

This call will go via ARM proxy and won't be blocked by your private endpoint setup.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The command: "az rest --method PUT ..." gives the error: "ERROR: Bad Request({"error":{"code":"BadRequest","message":"System.NullReferenceException: Object reference not set to an instance of an object.\r\n at Kudu.Services.Deployment.PushDeploymentController.<OneDeploy>d__13.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Services\\Deployment\\PushDeploymentController.cs:line 187"}}"
Can you paste your full command (custom ids and SAS substituted)? Also make sire the sas, or your link points directly to your file to deploy and not a folder
Can you add to your answer how we can update the deployment logs? Currently through oneDeploy we can't trace back to the exact pipeline run.
3

Using the earlier suggested solution, I ran into the following error:

"ERROR: Bad Request({"error":{"code":"BadRequest","message":"System.NullReferenceException: Object reference not set to an instance of an object.\r\n at Kudu.Services.Deployment.PushDeploymentController.<OneDeploy>d__13.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Services\\Deployment\\PushDeploymentController.cs:line 187"}}"

I solved this by adjusting "packageUri": ${ARTIFACTURL} to "packageUri": "'"${ARTIFACTURL}"'".

The full working task for me looks like following:

- task: AzureCLI@2
        displayName: Azure CLI
        inputs:
          azureSubscription: 'customer a'
          scriptType: bash
          scriptLocation: inlineScript
          inlineScript: |
            EXPIRY=$(date -u -d "$EXPIRY_TIME" '+%Y-%m-%dT%H:%MZ')
            az storage blob upload -f $(Pipeline.Workspace)/**/*.zip --account-name $ACCOUNT -c $CONTAINER
            ZIP_URL=$(az storage blob generate-sas --full-uri --permissions r --expiry $EXPIRY --account-name $ACCOUNT -c $CONTAINER -n s.zip | xargs)
            az rest --method PUT --uri https://management.azure.com/subscriptions/${SUBSCRIPTIONID}/resourceGroups/${GROUP}/providers/Microsoft.Web/sites/${WEBAPP}/extensions/onedeploy?api-version=2022-03-01 --body '{"properties": {"type": "zip", "packageUri": "'"${ZIP_URL}"'" }}'
Improve this answer

Comments

1

If above doesn't work then replace " with '. Below works for me

az rest --method PUT --uri https://management.azure.com/subscriptions/${SUBSCRIPTIONID}/resourceGroups/${GROUP}/providers/Microsoft.Web/sites/${WEBAPP}/extensions/onedeploy?api-version=2022-03-01 --body "{'properties': {'type': 'zip','packageUri': '${ZIP_URL}' }}"
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.