Search code examples
azurepermissionsazure-webjobs

Permission to view Azure webjobs logs

I would like to give read access to multiple colleagues to read Azure webjobs logs.

Azure WebJobs logs button

If you click on the button in the logs column, a new webpage opens that looks something like this: https://<app_name>.scm.azurewebsites.net

Currently, colleagues have read access to the entire RG, which includes the webapp.

Information: "You only have read access to this web app, some controls may be disabled" Problem: Colleagues cannot click on the icon under the logs column.

I have tried to give the following privileges, but these privileges provide too powerful a role:

  • Website Contributor
  • Contributor
  • Owner

I want them to be able to read the logs only, but not to have any other rights. Or can you suggest a better alternative?

If the information is relevant for permissions, different app service plans are currently used. There is basic, standard, premium v2 and v3.

I also saw this post, but I consider this permission to be too much. Role for reading webjobs logs in Azure/Kudu

Solution

  • If you want to apply a specific role to your user, You need to create a custom role like below:-

    Visit your Subscription > Access control (IAM) > Add custom role > In Basics tab add Custom role name Start from scratch > In permissions > Select the specific role for your webjob whether continous or triggered webjob and web app to get the logs:-

    enter image description here

    enter image description here

    enter image description here

    enter image description here

    In addition in order to retrieve https://webapp0980.scm.azurewebsites.net > Logs, You cannot access the Kudu tool in UI as the support for its access was declined, According to this MS Forum

    As mentioned in the feedback link read-only role for Kudu the ask for read only role for Kudu has been declined, as access to Kudu intrinsically requires Contributor access.

    You can raise a new feature request for a custom Kudu based role.

    enter image description here

    But you can Add the roles below to get the Web app logs with Azure CLI via command even without the UI access:-

    enter image description here

    enter image description here

    You can select assignable scope to your Web App directly or at subscription level like below:-

    enter image description here

    Create the role and assign it to the user and run the command to download the logs:-

    az webapp log download --name webapp0980 --resource-group siliconrg54

    Output:-

    enter image description here