I'm using Octopus Deploy to deploy an Azure WebApp, using Service Principal as the authentication mechanism. Following online instructions, I was able to obtain all the id's and a key, and I created permissions in AAD for the app with a Reader role.
Octopus can successfully retrieve a list of webapps from Azure for the account, but when I deploy I get the following:
System.AggregateException: One or more errors occurred. ---> System.Exception: Retrieving publishing credentials failed with HTTP status 403 - Forbidden
I'm guessing that the Reader role is not authorized for deployments - which would be the most appropriate role? Or is there something else I need to do?
Your Service Principal will need the Contributor role in order to deploy on Azure.
If you take a look at the example PowerShell script we provide in our Azure Service Principal Account guide, you'll see that we assign "Contributor" for the role definition argument.
ie.
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azureAdApplication.ApplicationId
Hope this helps.