I have setup a Azure App Service which uses the container publishing model. Everything works as expected but I want to automate deployments with a GitLab pipeline. Therefore, I created a Service Principal and gave it the Contributor role for the App Service. However, in the job logs I can see the following error:
ERROR: (AuthorizationFailed) The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Web/serverfarms/read' over scope '/subscriptions/yyy/resourceGroups/my-resource-group/providers/Microsoft.Web/serverfarms/foo' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
This is my pipeline:
deploy:
image: mcr.microsoft.com/azure-cli
stage: deploy
before_script:
- az login --service-principal -u $AZURE_SP_ID -p $AZURE_SP_PASSWORD -t $AZURE_TENANT
- az extension add --name webapp --upgrade
script:
- az webapp config container set --name $AZURE_APP_NAME --resource-group $AZURE_APP_RESOURCE_GROUP
--container-image-name ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}
rules:
- if: $CI_COMMIT_TAG
When I assign the Service Principal Contributor role on the subscription level, everything works. But wouldn't that allow the service principal to access all resources under that subscription?
The issue was that I needed to give reader role on the app service plan. Giving the contributor role on the app service it self is not enough.