Saturday, 13 February 2021

Resolving 409 Access Denied in Azure Kudu and App Service Editor

Sometimes you may need to edit files especially the web.config or appsettings.json files after deploying your application to Azure App Service via Kudu or using App Service Editor to change the setting for diagnostic purposes etc. For example, may be you want to enable logs by setting stdoutLogEnabled to true. However, if your application is deployed to Azure App Service via Azure DevOps pipelines’ Azure App Service deployment task, you may run into 409 Access Denied error. Let’s understand why the error occurs and how we can enable editing the files, in your deployed Azure App Service application/Function apps via Kudu or using App Service Editor.



The reason for the issue is that the Azure App Service deployment task is deploying the application to Azure App Service in Run from Package deployment method (). Run from package is beneficial for performance and several other benefits as described in documentation here. Therefore, you should be using the run from package deployment as much as possible.

However, to solve the edit access denied you can temporary disable run from package by changing the appsetting WEBSITE_RUN_FROM_PACKAGE value to 0 in Azure App Service/Function Apps configurations. Once your editing done and your diagnosing tasks are completed you can set it back to 1. However, remember the changes you make while the WEBSITE_RUN_FROM_PACKAGE is 0 will not be preservice once you set it to WEBSITE_RUN_FROM_PACKAGE back to 1. It will only use originally deployed file package files.


If you want to control this at the deployment pipeline you can do so by setting the advance deployment properties in Azure DevOps App Service Deployment task additional deployment options. Three settings available as Web Deploy, Zip Deploy and Run from Package.

In YAML, you can set the settings DeploymentType as follows with value webDeploy, zipDeploy or runFromZip.

- task: AzureRmWebAppDeployment@4
  inputs:
    ConnectionType: 'AzureRM'
    appType: 'webApp'
    WebAppName:
    packageForLinux: '$(System.DefaultWorkingDirectory)/**/*.zip'
    enableCustomDeployment: true
    DeploymentType: 'runFromZip'

Even though you can change it in pipeline level in case if you are saving files while executing the app in the web app (this is not good as well you should be using a blob storage for storing files), it is recommended to deploy as run from package if you are deploying your code to run on Azure App Service/Function App, considering the benefits it offers.

No comments:

Popular Posts