System.UnauthorizedAccessException : Access to the path 'C:\runtime\Secrets\host.json' is denied in Azure Functions Windows container

Question

Based on this Dockerfile I'm running Azure Functions runtime inside a Windows container.

I want to bring my own secrets. So I add my own host.json into the runtime\secrets folder and set the storage type to files:

host_secret.json:

{
  "masterKey": {
    "name": "master",
    "value": "***fancy-code-for-host-admin-and-keys-api***",
    "encrypted": false
  },
  "functionKeys": [
    {
      "name": "default",
      "value": "***fancy-code-for-functions***",
      "encrypted": false
    }
  ]
}

Dockerfile:

....
ADD host_secret.json C:\\runtime\\Secrets\\host.json
ENV AzureWebJobsSecretStorageType=files
....

When starting the container and the function app, it does not respond and shows

Function host is not running.

checking the logs I find

System.UnauthorizedAccessException : Access to the path 'C:\runtime\Secrets\host.json' is denied

Kai Walter · Accepted Answer · 2018-12-08T13:57:08.860

3

The container is running as ContainerUser and hence this user needs access to this file.

ADD host_secret.json C:\\runtime\\Secrets\\host.json

USER ContainerAdministrator
RUN icacls "c:\runtime\secrets" /t /grant Users:M
USER ContainerUser

ENV AzureWebJobsSecretStorageType=files

This grants modify access rights to users inside the container - a group ContainerUser is member of.

edited Dec 08 '18 at 13:57

answered Dec 08 '18 at 13:33

Kai Walter

3,485
2
32
62

System.UnauthorizedAccessException : Access to the path 'C:\runtime\Secrets\host.json' is denied in Azure Functions Windows container

1 Answers1