Permission to view Azure webjobs logs
I would like to give read access to multiple colleagues to read Azure webjobs logs.
If you click on the button in the logs column, a new webpage opens that looks something like this: https://<app_name>.scm.azurewebsites.net
Currently, colleagues have read access to the entire RG, which includes the webapp.
Information: "You only have read access to this web app, some controls may be disabled" Problem: Colleagues cannot click on the icon under the logs column.
I have tried to give the following privileges, but these privileges provide too powerful a role:
- Website Contributor
- Contributor
- Owner
I want them to be able to read the logs only, but not to have any other rights. Or can you suggest a better alternative?
If the information is relevant for permissions, different app service plans are currently used. There is basic, standard, premium v2 and v3.
I also saw this post, but I consider this permission to be too much. Role for reading webjobs logs in Azure/Kudu
If you want to apply a specific role to your user, You need to create a custom role like below:-
Visit your Subscription > Access control (IAM) > Add custom role > In Basics tab add Custom role name Start from scratch > In permissions > Select the specific role for your webjob whether continous or triggered webjob and web app to get the logs:-
In addition in order to retrieve https://webapp0980.scm.azurewebsites.net > Logs, You cannot access the Kudu tool in UI as the support for its access was declined, According to this MS Forum
As mentioned in the feedback link read-only role for Kudu the ask for read only role for Kudu has been declined, as access to Kudu intrinsically requires Contributor access.
You can raise a new feature request for a custom Kudu based role.
But you can Add the roles below to get the Web app logs with Azure CLI via command even without the UI access:-
You can select assignable scope to your Web App directly or at subscription level like below:-
Create the role and assign it to the user and run the command to download the logs:-
az webapp log download --name webapp0980 --resource-group siliconrg54
Output:-
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Terraform and Azure: Problems with association between NetworkSecurityGroups and Subnets
- connecting Azure DevOps organisation with Azure creates resource groups in Azure
- How to find a driveItem ID given only a document URL?
- Is it possible to scale Azure app services programmatically
- How Does Setting AZCOPY_JOB_PLAN_LOCATION and AZCOPY_LOG_LOCATION Improve Disk Usage?
- AADB2C90068: The provided application with ID is not valid against this service. Please use an application created via the B2C portal and try again
- Limit users allowed with Entra and Accounts in any organizational account and personal Microsoft accounts
- Can't create support request in Asure, despite correct subscription
- Deploy Container App from Bitbucket to Azure
- How to upload large files to Onedrive using python
- How to query Azure DevOps Work Items using client_id and client_secret