Skip to content

Az Cli in Self Hosted Runner can access Api services with public access disabled #26714

New issue
New issue
Open
Open
Az Cli in Self Hosted Runner can access Api services with public access disabled#26714

Description

@rexebin

rexebin
openedon Jun 20, 2023

Describe the bug

  1. self-hosted runner is in a vnet, the vnet has no peering and not linked to any private DNS zones.
  2. app service has a private endpoint and public access enabled. The staging slot does not have a private endpoint but the public access is disabled.
  3. Az cli running in the self-hosted runner, with Managed System Identity authentication, with a contributor role to the resources
  4. the az cli can deploy to the staging slot, which has public access disabled. It should not
  5. the az cli have access to open API json file at /openapi/v3.json endpoint, but it should not, because public access is disabled

When we use Github hosted Runners with OIDC authentication, same contributor role to resources:

  1. we had to open up the SCM endpoint for the staging slot to be able to deploy to the staging slot, or we get 403 Forbidden error.
  2. accessing the same openapi/v3.json returns 403 IP forbidden

We understand why the Github Hosted Runners with OIDC authentication get rejected. But we are puzzled why the self hosted runners with MSI work because the runner's vnet has no relationship.

Related command

Deploy to function staging slot:

            az functionapp deployment source config-zip \
            -n myfunctionname \
            -g myfunctionresourcegroupname \
            --slot staging \
            --src ./release.zip \
            --subscription mysubscription

Import to APIM:

 az apim api import --service-name myapimname \
            --resource-group myapimresourcegroupname \
            --subscription myapimsubscriptionid --api-id api-my-service-name \
            --path /dev/my-service \
            --display-name api-my-service-name  \
            --specification-format OpenApi --subscription-required false \
            --specification-url https://myappservicename.azurewebsites.net/my-service-path/openapi/v3.json

Errors

With self-hosted runner, no errors.

With Github Runner, OIDC authentication, we got errors:

Error for importing APIM:

Failed to import from specified resource https://myservicename.azurewebsites.net/my-service/openapi/v3.json: Response status code does not indicate success: 403 (Ip Forbidden).

Error for deploying to staging slot:

Error 403 - Forbidden

The web app you have attempted to reach has blocked your access.

Issue script & Debug output

same the errors

Expected behavior

Self hosted runner should not have access to public access disabled app service

Or, github runners with OIDC should behave the same way as self hosted runner.

Environment Summary

azure-cli 2.37.0
ubuntu linux 22.04.2

Additional context

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

API Managementaz apimAuto-AssignAuto assign by botAuto-ResolveAuto resolve by botFunctionsaz functionappService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions