How to set file/folder permission for azure cloud service package - azure

I'm using VSTS to deploy a azure cloud service package and getting a file access issue for web.config not able to be written to after a successful deployment.
At the moment I manually set the file permission via RDP to correct it for eg. on e:\siteroot\1\Web.config (Everyone FC)
To avoid this manual step - how can I set a folder/file permission for a file under cloud service deployment.

The issue seems not related to azure projects directly. It's not suggest to give a permission with Everyone FC, this may cause security risk.
For Azure Cloud Services Web Roles, the default Application Pool Identity account is “Network Service”.
In a normal basis the Application Pool account needs read permission over the web.config file so it can read all the application configuration.
For this kind of issue, you could creating a Startup Task to give write permission to Network Service in the application Web.config file.
Please go through the detail steps in this similar issue: Error “Access to the path ‘E:sitesrootWeb.config’ is denied” when storing Azure AD’s public key in Web.config of an Azure Cloud Services application.
Also take a look at this related question: Web.config Access denied when Package Azure cloud services projects in Visual Studio 2013 for Web

You can create a .bat file where you call the icacls command with the parameters you prefer:
How to grant permission to users for a directory using command line in Windows?
and then you can configure a startup task for your cloud service to run this file:
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-startup-tasks

Related

Azure Linux Web App Service - System.IO.IOException: Readonly File Error

The web app already running on .NET Core 3.1 LTS with IIS (windows server 2019)
Recently, I deployed as an Azure Web App Service but I encountered a file write error.
The application trying to create a new file for some business requirement.
Error message; System.IO.IOException: Read-only file system
Has anyone encountered this problem on Azure Linux Web App?
Solved: The Azure Linux Web App Service doesn't support directly file uploading to a regular folder under the wwwRoot. If you can running on the linux web app service, you need to use blob / storage etc..
Azure web app recommends that the wwwroot folder has read and write permissions. Whether it's Linux or Windows, it's the same.
In addition, it is not recommended to put the content of file operations in the project directory. For example, excel files generated under a certain business or uploaded image files in the deployment file. And the files are recommended to be stored in azure storage.
From the information which you have provided we can understand that there is any issue in creating a file in a specific directory where you don’t have access to it.
Refer to this SO thread where we got the insights to disable read-only mode, thanks to MarkXA.
Make sure that you have provided correct path whether it is any storage account or local storage where you are getting files. Also, if possible, elaborate your questions with full error trace, path you are using to access.

Azure web hosting using FTP / MS WebDeploy

Can I host a web application created on .net core 2.1 with sql server as database to azure web app service using CI tools / MS WebDeploy?
The following points I want to take care:
The application is using file system for temp storage and file storage
Deployment should be managed by some CI tools such as jenkins
After deployment, the app settings file should be modified with some keys/server details
Log files(stored on app root) should be accessible by application administrator
Is there a way to create a virtual directory same as in IIS and upload the files using FTP or similar protocols..?
All your doubts about deploying .net core 2.1 web app are achievable.
Suppose our projects are all completed and uploaded to github.
Questions and explanations about your concerns:
About the connection configuration using the database, you can directly configure it in web.config. If you are using azure sql server, find the connection string, set up the firewall, and pass the SSMS test, you can test the connection in the code. It can also be added in the Configuration -> Application settings -> Connection strings in the portal. After the addition, the priority is higher than the configuration in web.config, which will override the configuration and not modify the web.config file.
Regarding the use of file storage, you can use azure storage services or not. Looking specifically at the business, for example, very small pictures, documents and other files can be stored in the current program running directory, which is consistent with the original development at the code level. When publishing, you need to include the MyFiles file in the publishing process, or wait for the publishing to be completed and add folders manually in kudu, or the program can judge. It is recommended to use the program to judge that the subsequent program upgrade will not lose data.
The confidential information in the app settings file can actually be configured in web.config or appsetting.json. Make sure that the offline project is running properly when you are debugging locally, and then you can publish it. The rest is configured in the portal as in the first explanation.
The Log Files file storage can fully achieve the effect you want. It should be enough to set the owner permissions of this app services. For details, please refer to the official documentation.
Virtual directories and virtual applications, I have a better answer in another post here, you can refer to it.
Steps:
First of all, we can create a web app in portal and select .net core 2.1. Create appservices, and click Deployment Center when finished.
Follow the prompts step by step, and wait until the Action in github is completed, and the release is successful.

Octopus Deploy's Permissions for Web Site Files

I have several ASP.NET Core Web API services that are deployed via Octopus Deploy (v2019.12.1) to IIS.
I am trying to figure out how the permissions work to the files. When I look at the files/folders, they do not have any any permissions setup on them to allow the App Pool to access them. I don't understand how this works. But I did not care until today when stopped working.
I setup a file share to the Applications folder under the Octopus2 directory. When I did that it all stopped working. My sites now give me an error saying that they do not have permissions to access the config file.
When I look up fixes for this, they say I need to add the App Pool to the file/folder security. When I do this it works... until the next deploy when octopus makes another folder that does not have the added permissions. I could move those permissions up a folder, but then I am moving to manually managing it.
And somehow it worked without giving the App Pool direct permissions. So here is my question:
For an Octopus Deploy IIS Web Application, how does the application have access to the config file? (Assuming you did not do anything beyond the basic template for an IIS Web Application (and supplying a user for the App Pool).
In my case I'm using the custom installation folder where I'm keeping all my applications.
D:\Applications
D:\Applications\Product\Services\App1
D:\Applications\Product\Services\App2
Before any deployment I have a step (required step) in order to set up root home directory as above.
Create Folder step
I'm granting all IIS application's identities ability to access their installation folder.
In case you are using Octopus installation directory you can create child step which will grant desired permission to your application identity.
Application directory:
Octopus.Action.Package.InstallationDirectoryPath
Octopus System Variables

Changing AppPool folder permissions in Azure App Service - IIS APPPOOL\MyUserName

I've deployed nopCommerce as an Azure App Service using the simple Web Publish option.
Having then tried to configure the installation by running the nopCommerce installer I receive the following errors.
The 'IIS APPPOOL\MyUserName' account is not granted with Modify permission on folder....
Now normally this would be a trivial fix as I would login the application IIS server and presumably grant modify permissions to the IIS APPPOOL user for the given folders. However because this is an Azure App Service, I do not believe there is any way to login to the actual VM that runs all my application instances and thereby grant permissions to the APPPOOL user.
So is there some way to work around this? Can I grant these permissions using some other means for an Azure App Service (for example using the console in Azure)?
For anyone curious the actual solution was creating these folders.
wwwroot\bin
wwwroot\log
and the files:
installedPlugins.json
dataSettings.json
Once I added those files/folders I was able to successfully complete the installation.

Azure cloud service cannot read from web project's web.config

The config value is stored in the Web.config. When I build the web project, the Web.config gets copied to the build folder as {ProjectName}.dll.config. Running the web app locally works fine, the config value gets read without problem using ConfigurationManager.AppSettings["{key}"];.
When I build the cloud service however, the {ProjectName}.dll.config does not get copied to the cspkg file that I upload and run on Azure. I would expect it to be in approot/bin. However there is a Web.config in approot.
Running on Azure the app fails when trying to read from the app settings using ConfigurationManager.AppSettings["{key}"];.
I am aware of CloudConfigurationManager but I would like to avoid having to maintain the configuration in both, Web.config and the cloud cscfg.
The service configuration file specifies the number of role instances to deploy for each role in the service, the values of any configuration settings, and the thumbprints for any certificates associated with a role.
In Solution Explorer, select Properties>Development>Service Configuration and set the value as Cloud.
Then, set the web role's Service Configuration as Cloud.
In setting tab, Add Setting about connection string and what you want to store.
The following code illustrates an example of how to access a connection string. Replace the placeholder with the appropriate value.
// Setup the connection to Azure Storage
var storageAccount = CloudStorageAccount.Parse(RoleEnvironment.GetConfigurationSettingValue("<ConnectionStringName>"));
For more details about how to configure Azure Cloud service roles with Visual Studio, you could refer to this article.

Resources