This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 55.00000000000001%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
My c# .net core 5 application running in azure container environment as azure container app with azure file mounted as a persistent volume suddenly started to throw UnauthorizedAccessException (see below).
It was all working fine until recently. The azure file is setup in read/write access mode and mounts to the container without any issue. The application reads from the volume but when it tries to write only the file is created and then the exception is thrown.
System.UnauthorizedAccessException: Access to the path '/app/Card/IMPORTINTERNATIONAL/EXP_3_20231129_1.XML' is denied.
---> System.IO.IOException: Permission denied
--- End of inner exception stack trace ---
at System.IO.FileStream.WriteNative(ReadOnlySpan`1 source)
at System.IO.FileStream.FlushWriteBuffer()
at System.IO.FileStream.Dispose(Boolean disposing)
at System.IO.Stream.Close()
at System.IO.StreamWriter.CloseStreamFromDispose(Boolean disposing)
at System.IO.StreamWriter.Dispose(Boolean disposing)
at System.IO.TextWriter.Dispose()
at PCES.CardService.Web.Controllers.QPCController.<>c__DisplayClass25_0.
The issue has been resolved by changing the file create/update with the following code:
new FileStream(filename, FileMode.OpenOrCreate, FileAccess.Write, FileShare.None)
The problem was probably coming from the CIFS mount implementation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 87%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
@Dejan Gjorgjevik Thanks for sharing the details of what worked. Glad to hear that the issue is resolved!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 94%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
We had the same problem.
This did not work: new FileStream(filename, FileMode.OpenOrCreate, FileAccess.Write, FileShare.Read)
This did: new FileStream(filename, FileMode.OpenOrCreate, FileAccess.Write, FileShare.None)
I do not understand why a more strict FileShare policy removes the problem. Here's the FileShare code:
public enum FileShare
{
// No sharing. Any request to open the file (by this process or another
// process) will fail until the file is closed.
None = 0,
// Allows subsequent opening of the file for reading. If this flag is not
// specified, any request to open the file for reading (by this process or
// another process) will fail until the file is closed.
Read = 1,
// ...
}
Code: https://github.com/microsoft/referencesource/blob/master/mscorlib/system/io/fileshare.cs
Hello @Dejan Gjorgjevik - Regarding the below:
The azure file is setup in read/write access mode and mounts to the container without any issue.
Could you elaborate on how it was done? Based on our docs, as far as ACA & Azure Files are concerned for the permission side of things, all that's needed seems to be the following command:
az containerapp env storage set --name my-env --resource-group my-group \
--storage-name mystorage \
--azure-file-account-name <STORAGE_ACCOUNT_NAME> \
--azure-file-account-key <STORAGE_ACCOUNT_KEY> \
--azure-file-share-name <STORAGE_SHARE_NAME> \
--access-mode ReadWrite
This error you're hitting is from the application not having the write permission so please verify that you've run the above, especially given how Read operations are working fine. The following CLI command should show details of your current config:
az containerapp env storage show --name
--resource-group
--storage-name
Also, could you provide more context on whether your app had worked fine as-is and then started throwing this error? or changes were made and the application started throwing this error?
I look forward to your reply.
Dear Mike,
thanks a lot for your instructions/queries. The storage was set using the UI and not the CLI but with those parameters of course.
The application worked as-is till few days ago but just suddenly started to throw that exception on write operations recently. No changes were done on the application nor on the storage.
The result from the CLI command:
az containerapp env storage show --name
--resource-group
--storage-name
{
"id": "/subscriptions/ae8e4fd2-7beb-439b-98f8-38ce6a8df8e5/resourceGroups/PCES-PROD-Baobab-RG/providers/Microsoft.App/managedEnvironments/PCES-PROD-ACA-Baobab/storages/card",
"name": "card",
"properties": {
"azureFile": {
"accessMode": "ReadWrite",
"accountName": "pcesprodbaobabsa",
"shareName": "card"
}
},
"resourceGroup": "PCES-PROD-Baobab-RG",
"type": "Microsoft.App/managedenvironments/storages"
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 13%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
I have a similar issue: I can connect the container with an Azure storage share, but as soon as I run chmod on the mounted container directory, I get Operation not permitted.
After examining the file share connector with
az containerapp env storage show --name <container_env_name>
--resource-group <ressource_group_name>
--storage-name <share_name_connection>
I get:
{
"id": "/subscriptions/***/resourceGroups/***/providers/Microsoft.App/managedEnvironments/***/storages/***",
"name": "***",
"properties": {
"azureFile": {
"accessMode": "ReadWrite",
"accountName": "***",
"shareName": "***"
}
},
"resourceGroup": "***",
"type": "Microsoft.App/managedenvironments/storages"
}
Issue resolved by using the following approach:
new FileStream(filename, FileMode.OpenOrCreate, FileAccess.Write, FileShare.None)
Now the application works as it was working before. The reason is probably due to CIFS mount.
Ok - my error is different. It’s caused by the container, I’m trying to deploy, which wants to change owner of the volume mount:
```dockerfile
/bin/sh -c mkdir -p "$VOLUME" && chown -R appuser:appuser "$VOLUME" && chmod 1777 "$VOLUME"
So this one still doesn’t work - and not much I can do about it, other than not using Azure container apps. 😢
Hi @Arnold Knott - Since the issue that you're experiencing may be of a different root cause, please consider opening a separate post.