I would like to give read access to multiple colleagues to read Azure webjobs logs.
If you click on the button in the logs column, a new webpage opens that looks something like this:
Currently, colleagues have read access to the entire RG, which includes the webapp.
Information: "You only have read access to this web app, some controls may be disabled" Problem: Colleagues cannot click on the icon under the logs column.
I have tried to give the following privileges, but these privileges provide too powerful a role:
I want them to be able to read the logs only, but not to have any other rights. Or can you suggest a better alternative?
If the information is relevant for permissions, different app service plans are currently used. There is basic, standard, premium v2 and v3.
I also saw this post, but I consider this permission to be too much. Role for reading webjobs logs in Azure/Kudu
If you want to apply a specific role to your user, You need to create a custom role like below:-
Visit your Subscription > Access control (IAM) > Add custom role > In Basics tab add Custom role name Start from scratch > In permissions > Select the specific role for your webjob whether continous or triggered webjob and web app to get the logs:-
In addition in order to retrieve
https://webapp0980.scm.azurewebsites.net > Logs, You cannot access the Kudu tool in UI as the support for its access was declined, According to this MS Forum
As mentioned in the feedback link read-only role for Kudu the ask for read only role for Kudu has been declined, as access to Kudu intrinsically requires Contributor access.
You can raise a new feature request for a custom Kudu based role.
But you can Add the roles below to get the Web app logs with Azure CLI via command even without the UI access:-
You can select assignable scope to your Web App directly or at subscription level like below:-
Create the role and assign it to the user and run the command to download the logs:-
az webapp log download --name webapp0980 --resource-group siliconrg54