msdeploy causes error: Failed to download package. System.Net.WebException: The remote server returned an error: (403) Forbidden.

Siegfried Heintze 1,861 Reputation points
2024-05-30T22:57:17.7133333+00:00

I'm following these instructions: https://github.com/Azure-Samples/function-app-arm-templates/blob/main/zip-deploy-arm-az-cli/README.md#steps

I have a simple "hello world" C# http triggered windows azure function (https://github.com/siegfried01/zipdeployhttpfunc/blob/master/zipdeployhttpfunc.cs) deployed to the app service and I can verify that it is working with the "curl" utility.

Since I was getting errors using zipdeploy I'm now trying msdeploy and I'm getting similar errors (in both cases it is a 403 but in the case of msdeploy the stack trace is much bigger).

As a result of initially deploying using Visual Studio 2022 (Preview) WEBSITE_RUN_FROM_PACKAGE is set to "1" which is required for zipdeploy.

I have embedded my powershell script fragments in the comments of my bicep file. I initially deployed my function using Visual Studio and the updated the "built at" timestamp (in the C# source code) and executed steps 3-13. The purpose of steps 4-7 is to prove that I am correctly creating a zip file that works and can be deployed and indeed, after executing step 7 I could confirm with "curl" that the function was working correctly.

When step 12 failed I abandoned passing parameters and hard coded the SAS URI and function name in the bicep code and tried again in step 13 because I was worried that I was not passing my parameters correctly.

See step 13: https://github.com/siegfried01/zipdeployhttpfunc/blob/master/infrastructure/deploy-UpdateFunctionZipDeploy.bicep#L126

Since Step 12 produced similar errors as Step 13 (hard to tell with such a large stack trace) I'm thinking that maybe I passed the parameters correctly after all.

I also received similar errors when initially using zipdeploy instead of msdeploy.

See the full stack trace here: https://github.com/siegfried01/zipdeployhttpfunc/blob/master/infrastructure/deploy-UpdateFunctionZipDeploy.bicep#L132

Also, I was getting errors when trying to generate the SAS URI when using the name "package.zi"p as per the instructions (see https://github.com/siegfried01/zipdeployhttpfunc/blob/master/infrastructure/deploy-UpdateFunctionZipDeploy.bicep#L118). So I changed it to package_zip when I uploaded the blob (https://github.com/siegfried01/zipdeployhttpfunc/blob/master/infrastructure/deploy-UpdateFunctionZipDeploy.bicep#L110) as well as when I generated the SAS URI. Is this a problem? Is there something special about the name "package.zip"?

Please help me deploy my function using zipdeploy or msdeploy.

Thanks

Siegfried

P.S. I'm to try to remember to create a new branch so I don't mess up the line numbers the next time I push.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,481 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anushka 320 Reputation points
    2024-05-31T05:28:30.54+00:00

    Hello Siegfried Heintze, Hope you're having a good day.

    It sounds like you're running into issues with both msdeploy and zipdeploy when deploying your Azure Function. The error message you're seeing, "The remote server returned an error: (403) Forbidden," typically indicates a permissions issue.

    Here's a step-by-step approach to troubleshoot and resolve the issue:

    1. Verify Permissions

    Ensure that the account or service principal you're using to deploy has the necessary permissions to access the Azure App Service and the storage account where the zip file is stored.

    1. Check the SAS URI
    • Ensure that the SAS token you're using has the correct permissions (read, write, list) and hasn't expired.
    • Double-check the URI format. The SAS token should be appended correctly to the blob URL.
    1. Validate WEBSITE_RUN_FROM_PACKAGE

    Since WEBSITE_RUN_FROM_PACKAGE is set to "1", Azure expects the package to be correctly uploaded and accessible. This setting is essential for zip deployment.

    1. Naming Convention

    The name package.zip should not inherently cause issues. However, ensure consistency in naming to avoid any potential problems.

    1. Review Deployment Steps

    Here’s a refined outline of the deployment process using PowerShell, assuming your environment is correctly set up and you have the necessary permissions:

    Step 1: Create a ZIP Package

    Ensure your ZIP package is correctly created:

    Compress-Archive -Path .\zipdeployhttpfunc\* -DestinationPath .\package.zip
    

    Step 2: Upload the ZIP Package to Blob Storage

    Upload the ZIP package to your storage account and generate a SAS URI:

    # Variables
    $resourceGroupName = "yourResourceGroupName"
    $storageAccountName = "yourStorageAccountName"
    $containerName = "yourContainerName"
    $blobName = "package.zip"
    $localFilePath = ".\package.zip"
    # Upload the file
    az storage blob upload --account-name $storageAccountName --container-name $containerName --file $localFilePath --name $blobName
    # Generate SAS URI
    $sasUri = az storage blob generate-sas --account-name $storageAccountName --container-name $containerName --name $blobName --permissions r --expiry <expiryDate> --https-only --output tsv
    

    Step 3: Deploy using MSDeploy

    Use MSDeploy to deploy your function:

    $publishUrl = "https://<yourappname>.scm.azurewebsites.net/msdeploy.axd?site=<yourappname>"
    $zipPath = "<path_to_your_package.zip>"
    $deployUser = "<your_publish_profile_username>"
    $deployPassword = "<your_publish_profile_password>"
    & "C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe" -verb:sync -source:package="$zipPath" -dest:auto,computerName="$publishUrl",userName="$deployUser",password="$deployPassword",authtype="Basic"
    
    1. Debugging 403 Errors

    If you still encounter 403 errors, here are some specific checks:

    • Access Control: Ensure the App Service has proper access to the storage account.
    • Network Security: Check if there are any network security rules or firewalls blocking the request.
    • Authentication: Confirm the credentials are correct and the user has the necessary roles assigned in Azure (e.g., Contributor or Owner).

    By following these steps, you should be able to diagnose and resolve the issue. If the problem persists, consider providing additional logs or detailed error messages for further assistance. I hope this can solve your problem. Have a nice day!