msdeploy causes error: Failed to download package. System.Net.WebException: The remote server returned an error: (403) Forbidden.

Question

I'm following these instructions: https://github.com/Azure-Samples/function-app-arm-templates/blob/main/zip-deploy-arm-az-cli/README.md#steps

I have a simple "hello world" C# http triggered windows azure function (https://github.com/siegfried01/zipdeployhttpfunc/blob/master/zipdeployhttpfunc.cs) deployed to the app service and I can verify that it is working with the "curl" utility.

Since I was getting errors using zipdeploy I'm now trying msdeploy and I'm getting similar errors (in both cases it is a 403 but in the case of msdeploy the stack trace is much bigger).

As a result of initially deploying using Visual Studio 2022 (Preview) WEBSITE_RUN_FROM_PACKAGE is set to "1" which is required for zipdeploy.

I have embedded my powershell script fragments in the comments of my bicep file. I initially deployed my function using Visual Studio and the updated the "built at" timestamp (in the C# source code) and executed steps 3-13. The purpose of steps 4-7 is to prove that I am correctly creating a zip file that works and can be deployed and indeed, after executing step 7 I could confirm with "curl" that the function was working correctly.

When step 12 failed I abandoned passing parameters and hard coded the SAS URI and function name in the bicep code and tried again in step 13 because I was worried that I was not passing my parameters correctly.

See step 13: https://github.com/siegfried01/zipdeployhttpfunc/blob/master/infrastructure/deploy-UpdateFunctionZipDeploy.bicep#L126

Since Step 12 produced similar errors as Step 13 (hard to tell with such a large stack trace) I'm thinking that maybe I passed the parameters correctly after all.

I also received similar errors when initially using zipdeploy instead of msdeploy.

See the full stack trace here: https://github.com/siegfried01/zipdeployhttpfunc/blob/master/infrastructure/deploy-UpdateFunctionZipDeploy.bicep#L132

Also, I was getting errors when trying to generate the SAS URI when using the name "package.zi"p as per the instructions (see https://github.com/siegfried01/zipdeployhttpfunc/blob/master/infrastructure/deploy-UpdateFunctionZipDeploy.bicep#L118). So I changed it to package_zip when I uploaded the blob (https://github.com/siegfried01/zipdeployhttpfunc/blob/master/infrastructure/deploy-UpdateFunctionZipDeploy.bicep#L110) as well as when I generated the SAS URI. Is this a problem? Is there something special about the name "package.zip"?

Please help me deploy my function using zipdeploy or msdeploy.

Thanks

Siegfried

P.S. I'm to try to remember to create a new branch so I don't mess up the line numbers the next time I push.

Answer 1

Hello Siegfried Heintze, Hope you're having a good day.

It sounds like you're running into issues with both msdeploy and zipdeploy when deploying your Azure Function. The error message you're seeing, "The remote server returned an error: (403) Forbidden," typically indicates a permissions issue.

Here's a step-by-step approach to troubleshoot and resolve the issue:

1. Verify Permissions

Ensure that the account or service principal you're using to deploy has the necessary permissions to access the Azure App Service and the storage account where the zip file is stored.

2. Check the SAS URI

• Ensure that the SAS token you're using has the correct permissions (read, write, list) and hasn't expired.
• Double-check the URI format. The SAS token should be appended correctly to the blob URL.

3. Validate WEBSITE_RUN_FROM_PACKAGE

Since WEBSITE_RUN_FROM_PACKAGE is set to "1", Azure expects the package to be correctly uploaded and accessible. This setting is essential for zip deployment.

4. Naming Convention

The name package.zip should not inherently cause issues. However, ensure consistency in naming to avoid any potential problems.

5. Review Deployment Steps

Here’s a refined outline of the deployment process using PowerShell, assuming your environment is correctly set up and you have the necessary permissions:

Step 1: Create a ZIP Package

Ensure your ZIP package is correctly created:

Compress-Archive -Path .\zipdeployhttpfunc\* -DestinationPath .\package.zip

Step 2: Upload the ZIP Package to Blob Storage

Upload the ZIP package to your storage account and generate a SAS URI:

# Variables
$resourceGroupName = "yourResourceGroupName"
$storageAccountName = "yourStorageAccountName"
$containerName = "yourContainerName"
$blobName = "package.zip"
$localFilePath = ".\package.zip"
# Upload the file
az storage blob upload --account-name $storageAccountName --container-name $containerName --file $localFilePath --name $blobName
# Generate SAS URI
$sasUri = az storage blob generate-sas --account-name $storageAccountName --container-name $containerName --name $blobName --permissions r --expiry <expiryDate> --https-only --output tsv

Step 3: Deploy using MSDeploy

Use MSDeploy to deploy your function:

$publishUrl = "https://<yourappname>.scm.azurewebsites.net/msdeploy.axd?site=<yourappname>"
$zipPath = "<path_to_your_package.zip>"
$deployUser = "<your_publish_profile_username>"
$deployPassword = "<your_publish_profile_password>"
& "C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe" -verb:sync -source:package="$zipPath" -dest:auto,computerName="$publishUrl",userName="$deployUser",password="$deployPassword",authtype="Basic"

6. Debugging 403 Errors

If you still encounter 403 errors, here are some specific checks:

• Access Control: Ensure the App Service has proper access to the storage account.
• Network Security: Check if there are any network security rules or firewalls blocking the request.
• Authentication: Confirm the credentials are correct and the user has the necessary roles assigned in Azure (e.g., Contributor or Owner).

By following these steps, you should be able to diagnose and resolve the issue. If the problem persists, consider providing additional logs or detailed error messages for further assistance. I hope this can solve your problem. Have a nice day!