Error: The client does not have authorization to perform action 'Microsoft.Web/sites/config/list/action'

Jeff Bowman 106 Reputation points
2023-07-10T00:58:45.36+00:00

I'm getting an error message when trying to run a WebJob:

The client does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/sites/[redacted]/config/publishingcredentials'

Based on this information, how do I determine which role to add, and where?

Note: I do NOT want to grant Contributor access to my registered application. I consider that to be a sloppy approach to security; I prefer the 'least privilege' rule in these matters.

My question is about how to translate the information from the error message (i.e. "action 'Microsoft.Web/sites/config/list/action'") into the actual IAM permissions I must grant to my application.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
792 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,401 questions
0 comments No comments
{count} votes

Accepted answer
  1. Luke Murray 11,076 Reputation points MVP
    2023-07-10T01:31:58.9833333+00:00

    Hi, Jeff

    You can take that error message, then reference: Azure built-in roles

    What I usually do is do a Find (Ctrl+F) on the page for the permissions for example if we take a look at:

    • Microsoft.Web/sites/config/list/action

    There is nothing there, so lets go back to:

    • Microsoft.Web/sites/config/list

    Theres nothing, up until:

    Microsoft.Web/sites/* Create and manage websites (site creation also requires write permissions to the associated App Service Plan)

    The wildcard (*) represents everything, underneath including list and action/write etc.

    In this example the rights are: Website Contributor.

    You could either give the user Website Contributor rights, or create your own custom role, with the specific permission that they need.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Rajesh Swarnkar 851 Reputation points
    2023-09-25T10:54:22.3266667+00:00

    @Luke Murray

    Even cooler place to get the list of RBAC Action is by going on ['Azure resource provider operations'] and searching for the action.

    And even more cooler is to use Azure Powershell:

    Get-AzProviderOperation Microsoft.Web/sites/config/*
    

    I love the powershell way !

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.