Running script in Azure WebJob requiring elevated permissions - azure

I have a function app, in the app service I am adding a webjob, which would run a .cmd or .ps1 script for some functionality required by the function app. The script requires administrator permissions. I am trying to run the webjob, but the logs show me the error that admin rights are required. How can I run the webjob with elevated permissions?

Web Jobs and Function Apps are running on App Service, which is running inside a sandbox. You can't get administrator permissions in App Service.
Read about the limitations and possibilities in Azure Web App sandbox.

Related

Changing AppPool folder permissions in Azure App Service - IIS APPPOOL\MyUserName

I've deployed nopCommerce as an Azure App Service using the simple Web Publish option.
Having then tried to configure the installation by running the nopCommerce installer I receive the following errors.
The 'IIS APPPOOL\MyUserName' account is not granted with Modify permission on folder....
Now normally this would be a trivial fix as I would login the application IIS server and presumably grant modify permissions to the IIS APPPOOL user for the given folders. However because this is an Azure App Service, I do not believe there is any way to login to the actual VM that runs all my application instances and thereby grant permissions to the APPPOOL user.
So is there some way to work around this? Can I grant these permissions using some other means for an Azure App Service (for example using the console in Azure)?
For anyone curious the actual solution was creating these folders.
wwwroot\bin
wwwroot\log
and the files:
installedPlugins.json
dataSettings.json
Once I added those files/folders I was able to successfully complete the installation.

How to set file/folder permission for azure cloud service package

I'm using VSTS to deploy a azure cloud service package and getting a file access issue for web.config not able to be written to after a successful deployment.
At the moment I manually set the file permission via RDP to correct it for eg. on e:\siteroot\1\Web.config (Everyone FC)
To avoid this manual step - how can I set a folder/file permission for a file under cloud service deployment.
The issue seems not related to azure projects directly. It's not suggest to give a permission with Everyone FC, this may cause security risk.
For Azure Cloud Services Web Roles, the default Application Pool Identity account is “Network Service”.
In a normal basis the Application Pool account needs read permission over the web.config file so it can read all the application configuration.
For this kind of issue, you could creating a Startup Task to give write permission to Network Service in the application Web.config file.
Please go through the detail steps in this similar issue: Error “Access to the path ‘E:sitesrootWeb.config’ is denied” when storing Azure AD’s public key in Web.config of an Azure Cloud Services application.
Also take a look at this related question: Web.config Access denied when Package Azure cloud services projects in Visual Studio 2013 for Web
You can create a .bat file where you call the icacls command with the parameters you prefer:
How to grant permission to users for a directory using command line in Windows?
and then you can configure a startup task for your cloud service to run this file:
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-startup-tasks

How to execute appcmd on Azure Web App box?

I'd like to execute a
appcmd set config /commit:WEBROOT /section:sessionState /mode:StateServer /stateConnectionString: tcpip=loopback:42424 /stateNetworkTimeout: 120 /useHostingIdentity:True
command on the box belonging to an Azure Web App. The console is a "sandbox environment", so I don't necessarily expect to have enough privileges, but appcmd is not recognized as a command.
Same thing happened with the KUDU special console - which looked more promising in terms of potential privileges to carry out the task -, both with the CMD and the PowerShell console.
My main goal is to start the IIS's State Server. How to start ASP.Net State Service in Azure mentions "startup task", but I couldn't figure out how to do that. https://technet.microsoft.com/en-us/library/cc732412(v=ws.10).aspx quotes appcmd.
Per your link in your question: Startup tasks are for web/worker roles in Cloud Services, not Web Apps (completely different things; web/worker role instances are Windows Server instances, not a sandboxed environment).
You cannot enable IIS State Server on Web Apps. You'll need to store your session state in something like Redis Cache service, which runs independent of Azure Web Apps. Really, you can use any cache (or storage) you want that's external to the Web App sandbox, as long as you have proper drivers/providers for what you choose.

Why can I publish individual web jobs but not a web project with a list of web jobs?

We have a WebJobs-enabled project that we use to deploy and schedule WebJobs. A couple of our developers are able to publish the project but I am getting an error when attempting to do so. The publish itself succeeds but I get a bunch of errors at the very end saying:
An error occurred while creating the WebJob schedule: ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
I have tried to publish a WebJob on its own using the Publish as a WebJob command and it worked just fine. The publish profile that I am using validates just fine too. Why does it work for one but not for the other?
My account with Co-administrator privileges on the subscription, I could publish my WebJobs-enabled project to Azure App Service successfully (both website and webjob run fine). This thread discussed a similar issue, and we could find that account without Co-administrator privileges may cause this issue, so please make sure whether your account has Co-administrator privileges.

Error from Microsoft-Windows-Security-Auditing when deploying Azure Web Role

I get these or these errors everytime I deploy my service. The first time I update/deploy the application it hangs with these errors. The app runs with elevated privileges. When I reboot the instances from the portal - it starts and works fine. Does any body has explanation?
UPDATE
During Application_Start I read some locally stored CSV-s, make some calls to Sql Azure and Azure Tables and run Castle Windsor Installers.

Resources