scouty scouty - 26 days ago 6
Python Question

"Access to the path 'D:\\Windows\\system32\\file is denied" Azure Web App

I have a specific function that utilizes IronPython and inside the python code it is accessing the current directory and creating a temporary file. When it later tries to access that file based off the relative directory path it cant get it and I receive an error back from IronPython that states

"Access to the path 'D:\Windows\system32\file is denied"
('file' being the unique temp file created). This all works when I run VS locally as a administrator. If i'm running it locally not as a administrator I receive the same error. When I publish the application to a app service on Azure it gives me the
access denied
error.

Thank you very much ahead of time and let me know if you have any additional questions.

Answer Source

D:\Windows\system32\file is denied

It is as designed on the Azure WebApp. Azure Web Apps (as well as Mobile App/Services, WebJobs and Functions) run in a sandbox. Applications are highly restricted. If we want to get more info about WebApp, please refer to Azure Web App sandbox.

Home directory access (d:\home)

Every Azure Web App has a home directory stored/backed by Azure Storage. This network share is where applications store their content. This directory is available for the sandbox with read/write access.

As a convenience for our customers, the sandbox implements a dynamic symbolic link in kernel mode which maps d:\home to the customer home directory. This is done to remove the need of the customer to keep referencing their own network share path when accessing the site. No matter where the site runs, or how many sites run on a VM, each can access their home directory using d:\home.

Local directory access (d:\local)

Every Azure Web App has a local directory which is temporary and is deleted when the run is no longer running on the VM. This directory is a place to store temporary data for the application. The sandbox implements a dynamic symbolic link which maps d:\local to point to this directory. The application naturally has read/write access to this directory.

Note that the d:\local folder in the scm site (where Kudu runs) is not the same as the one in the main site (where the web app runs). As a result, they cannot see each other's local files.