Description
openedon Jun 20, 2023
Describe the bug
- self-hosted runner is in a vnet, the vnet has no peering and not linked to any private DNS zones.
- app service has a private endpoint and public access enabled. The staging slot does not have a private endpoint but the public access is disabled.
- Az cli running in the self-hosted runner, with Managed System Identity authentication, with a contributor role to the resources
- the az cli can deploy to the staging slot, which has public access disabled. It should not
- the az cli have access to open API json file at
/openapi/v3.json
endpoint, but it should not, because public access is disabled
When we use Github hosted Runners with OIDC authentication, same contributor role to resources:
- we had to open up the SCM endpoint for the staging slot to be able to deploy to the staging slot, or we get 403 Forbidden error.
- accessing the same
openapi/v3.json
returns 403 IP forbidden
We understand why the Github Hosted Runners with OIDC authentication get rejected. But we are puzzled why the self hosted runners with MSI work because the runner's vnet has no relationship.
Related command
Deploy to function staging slot:
az functionapp deployment source config-zip \
-n myfunctionname \
-g myfunctionresourcegroupname \
--slot staging \
--src ./release.zip \
--subscription mysubscription
Import to APIM:
az apim api import --service-name myapimname \
--resource-group myapimresourcegroupname \
--subscription myapimsubscriptionid --api-id api-my-service-name \
--path /dev/my-service \
--display-name api-my-service-name \
--specification-format OpenApi --subscription-required false \
--specification-url https://myappservicename.azurewebsites.net/my-service-path/openapi/v3.json
Errors
With self-hosted runner, no errors.
With Github Runner, OIDC authentication, we got errors:
Error for importing APIM:
Failed to import from specified resource https://myservicename.azurewebsites.net/my-service/openapi/v3.json: Response status code does not indicate success: 403 (Ip Forbidden).
Error for deploying to staging slot:
Error 403 - Forbidden
The web app you have attempted to reach has blocked your access.
Issue script & Debug output
same the errors
Expected behavior
Self hosted runner should not have access to public access disabled app service
Or, github runners with OIDC should behave the same way as self hosted runner.
Environment Summary
azure-cli 2.37.0
ubuntu linux 22.04.2
Additional context
No response