I recently ran into a problem uploading to an Azure Storage Queue from an Azure App Services web app. The problem began when I moved the web app from one subscription to another. After the move, I received a (403) Forbidden message when attempting to write to a queue. The storage account for the queue did not move and other deployments of this app were still able to write to it. If I ran it locally, from my computer, it worked.
After trying multiple different combinations of storage locations, connection strings, Nuget package versions, etc. I decided to create a new App Service this time back in the original subscription. I deployed the web app to this new App Service, and it worked. This made me think about Resource Providers.
So, I checked the registered resource providers in both subscriptions, and noticed that the original subscription had over a dozen more resource providers enabled, than the subscription I was moving to App Service to. I started going down the list and registering the ones, that looked like they might play a role in this issue.
Solution
After I registered Microsoft.ServiceBus provider, the request worked and the web app was able to write to the queue once again. The other two providers I enabled before the Microsoft.ServiceBus were Microsoft.ApiManagement and Microsoft.AppService. I’m not sure it was just the Microsoft.ServiceBus or a combination of the three, but it is working now!
Below is a list of things I tried prior to enabling the Resource Providers. These are thing you might want to consider as well, if you run into a similar situation.
- Confirmed the storage name and key are correct.
- Created a new storage account in the same subscription
- Updated the Microsoft.WindowsAzure.Storage package to the latest version
- Confirmed that the web.config is being updated on publish
- Logged the connection string and ensured it was passing the right value
- Confirmed that the time on the App Service server is correct
- Set the time zone on the App Service to Central Standard Time. (The storage account is in South Central US)
Also, I have included a sample script below that you can use to compare the resource providers between two different subscriptions. It will output the providers names, which you can then use with the Register-AzureRmResourceProvider cmdlet to quickly enable in your new subscription.
$creds = Get-Credential
$sourceSubscription = 'GUID of the source subscription'
$destinationSubscription = 'GUID of the destination subscription'
# Get the resource providers from the source subscription
Add-AzureRmAccount -Credential $creds -SubscriptionId $sourceSubscription
$source = Get-AzureRmResourceProvider
# Get the resource providers from the source subscription
Add-AzureRmAccount -Credential $creds -SubscriptionId $destinationSubscription
$destination = Get-AzureRmResourceProvider
# Check each enabled resource providers from the source against the destination
Foreach($resource in $source)
{
# Check if the resource is enabled in the destination and display if not
if(!($destination | ?{$_.ProviderNamespace -eq $resource.ProviderNamespace}))
{
Write-Output $resource.ProviderNamespace
}
}