CI/CD : GitHub => Azure Function App fails to deploy

Question

CI/CD : GitHub => Azure Function App fails to deploy

Ivan.L 5

Failed to load Function app (function1), the client '00000a7-1be7-41a4-840c-8815cc79c000' with object id '00000a7-1be7-41a4-840c-8815cc79c000' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/***/resourceGroups/function1/providers/Microsoft.Web/sites/resourceGroup1' or the scope is invalid. If access was recently granted, please refresh your credentials.

User (managed identity) 00000a7-1be7-41a4-840c-8815cc79c000 has the Contributor and Web Contributor roles assigned for the resource resourceGroup1

I went through all configurations and can not figure out why it is failing. GitHub agents can log in and do other things but can not deploy the function.

I can run the same script locally, authenticate with my credentials and deploy the function.

So the problem is with permissions assigned to user 00000a7-1be7-41a4-840c-8815cc79c000

Any help is appreciated!

Harshitha Veeramalla 1,306 Reputation points Microsoft External Staff Moderator

2025-03-28T11:23:13.8666667+00:00

Hi Ivan.L, what does your deployment logs show in GitHub? You need to assign Azure roles to your application as well, please refer this MSDoc.
Ivan.L 5 Reputation points

2025-03-30T18:45:58.3266667+00:00

Sorry got busy.

Straight from GitHub (just sanitized)

Caused by: com.azure.core.management.exception.ManagementException: Status code 403, "{"error":{"code":"AuthorizationFailed","message":"The client '000007a7-1be7-41a4-840c-8815cc79c000' with object id '0000a7-1be7-41a4-840c-8815cc79c000' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/***/resourceGroups/pp-data-import/providers/Microsoft.Web/sites/import-functions' or the scope is invalid. If access was recently granted, please refresh your credentials."}}": The client '000007a7-1be7-41a4-840c-8815cc79c000' with object id '000007a7-1be7-41a4-840c-8815cc79c000' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/***/resourceGroups/pp-data-import/providers/Microsoft.Web/sites/import-functions' or the scope is invalid. If access was recently granted, please refresh your credentials.

I will go through the doc and will update if I find anything.
Ivan.L 5 Reputation points

2025-03-31T20:56:45.9566667+00:00

I have deleted the application and created a new one, which resolved the issue.

Still do not know what it was, but now it is working with the same user.

1 answer

Your answer

Harshitha Veeramalla 1,306 Reputation points Microsoft External Staff Moderator

2025-03-28T11:23:13.8666667+00:00

Hi Ivan.L, what does your deployment logs show in GitHub? You need to assign Azure roles to your application as well, please refer this MSDoc.
Ivan.L 5 Reputation points

2025-03-30T18:45:58.3266667+00:00

Sorry got busy.

Straight from GitHub (just sanitized)

Caused by: com.azure.core.management.exception.ManagementException: Status code 403, "{"error":{"code":"AuthorizationFailed","message":"The client '000007a7-1be7-41a4-840c-8815cc79c000' with object id '0000a7-1be7-41a4-840c-8815cc79c000' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/***/resourceGroups/pp-data-import/providers/Microsoft.Web/sites/import-functions' or the scope is invalid. If access was recently granted, please refresh your credentials."}}": The client '000007a7-1be7-41a4-840c-8815cc79c000' with object id '000007a7-1be7-41a4-840c-8815cc79c000' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/***/resourceGroups/pp-data-import/providers/Microsoft.Web/sites/import-functions' or the scope is invalid. If access was recently granted, please refresh your credentials.

I will go through the doc and will update if I find anything.
Ivan.L 5 Reputation points

2025-03-31T20:56:45.9566667+00:00

I have deleted the application and created a new one, which resolved the issue.

Still do not know what it was, but now it is working with the same user.

Answer 1

Hi @Ivan.L

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue:

Azure Function App fails to deploy using CI/CD: GitHub

Solution:

Deleting and recreating the Function App fixed the issue.

Creating new app resets the IAM settings and may result in prompting to assign the roles again.

And also new app creates a new Identity binding which might have helped to resolve the issue.

You can check the role assignments using the Azure CLI

 az role assignment list --assignee ManagedIdentyClientID --all

Please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Share via

CI/CD : GitHub => Azure Function App fails to deploy

1 answer

Your answer