Change Deployment configuration option in Static Web App

Question

Change Deployment configuration option in Static Web App

David Wolfson 0

I am the owner of an existing static web app which is deployed with a github action. I have moved the source repository to a different github organisation repo and now need to use the existing deployment token. The token is available to the github action, but the static web app is configured to use GitHub for the "Deployment authorization policy" and all the options in the azure portal configuration blade are greyed out.

I've not been able to find an option to change this via the Azure CLI.

How can I update this please?

Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-02T17:04:49.3533333+00:00
Hi @David Wolfson
Thanks for the question and using MS Q&A platform.
Open your Azure Static Web App.

In the left-hand menu, select Settings and then choose Configuration.

Update Deployment Authorization Policy

In the Deployment Configuration section, you will find the Deployment Authorization Policy.

If these options appear greyed out, it could be due to the current settings. To enable the options, you may need to:

Temporarily disconnect the GitHub repository.

Reconnect it to enable editing of the settings.
https://learn.microsoft.com/en-us/cli/azure/staticwebapp?view=azure-cli-latest#az-staticwebapp-disconnect
Although there is no direct Azure CLI command for changing the deployment authorization policy, you can update the deployment token with the following command:

az staticwebapp secrets update --name <your-static-web-app-name> --resource-group <your-resource-group> --api-token <your-deployment-token>

Reset deployment tokens in Azure Static Web Apps | Microsoft Learn

Update the GitHub Actions Workflow

Open the GitHub Actions workflow file (typically named azure-static-web-apps-<RANDOM_NAME>.yml).

Ensure the file is updated with the new repository details and deployment token.

Reference:
Build configuration for Azure Static Web Apps | Microsoft Learn

Authenticate and authorize Static Web Apps | Microsoft Learn

Deploy a static web app with Azure Static Web Apps CLI | Microsoft Learn

I hope this information is helpful.
David Wolfson 0 Reputation points

2024-12-03T14:55:00.51+00:00

duplicate
David Wolfson 0 Reputation points

2024-12-03T15:00:32.12+00:00
@Laxman Reddy Revuri thanks for the suggestion.

When I disconnected the source the configuration option to change the Deployment Authorization Policy was not available. I then went on to reconnect using updated syntax from the az staticwebapp update docs:

az staticwebapp update --name <your-static-web-app-name> --resource-group <your-resource-group> --token <your-deployment-token>

Although the token was updated in the configuration, the policy was still set to GitHub, so this approach has not worked.
Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-04T16:43:45.85+00:00
Hi @David Wolfson
Apologize for any inconvenience caused on this.
Verify Azure CLI Syntax:

The command you used, az staticwebapp update, is correct for updating certain static web app configurations. However, this does not directly switch the deployment authorization policy.

Ensure that the deployment token is valid and properly scoped.

Reset the Deployment Token in Azure Portal:

Navigate to the Azure Static Web Apps service in the portal.

Go to Settings → Secrets.

Reset the Deployment Token manually.

Once reset, ensure the token is used in your workflow YAML file.

Reconnect the Repository Properly:

Disconnecting and reconnecting the repository should allow you to modify the Deployment Authorization Policy.

If the option remains unavailable:

Use the Azure CLI to disconnect and reconnect:

az staticwebapp disconnect --name <your-static-web-app-name> --resource-group <your-resource-group>

az staticwebapp update --name <your-static-web-app-name> --resource-group <your-resource-group> --source <source-url> --token <your-deployment-token>

Check Current Policy:
You can query the current deployment settings using the Azure CLI

az staticwebapp show --name <your-static-web-app-name> --resource-group <your-resource-group>

Look for the deploymentSettings property to confirm if the deployment mode is correctly set.

YAML Workflow Configuration:

Make sure the GitHub Actions workflow file (azure-static-web-apps-<RANDOM_NAME>.yml) includes the updated token.

If you’re not sure about the placement, it typically appears in the env or secrets section of the file:

AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.STATIC_WEB_APP_TOKEN }}

Verify GitHub Configuration:

Confirm that the repository and branch referenced in the Azure portal match those in your workflow file.
David Wolfson 0 Reputation points

2024-12-05T11:42:40.87+00:00
I have followed these steps, and the policy is not still unchanged. Two things to note:

the update CLI command also required the --branch to be set

the show CLI command does not include the deploymentSettings (see screenshot)
Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-06T16:22:35.6033333+00:00
Hi @David Wolfson
1.Correct Azure CLI Syntax
Ensure you use the right command with --branch included:

az staticwebapp update \ --name <your-static-web-app-name> \ --resource-group <your-resource-group> \ --source <source-url> \ --token <your-deployment-token> \ --branch <your-branch-name>

2.Check and Update Azure CLI Version Verify your Azure CLI version:

az version

If outdated, update it:

az upgrade

3.Retrieve Deployment Settings via REST API
If deploymentSettings is missing in az staticwebapp show:

Get Access Token:

az account get-access-token --query accessToken -o tsv

Call the REST API:

curl -X GET \ -H "Authorization: Bearer <access-token>" \ "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/staticSites/<static-web-app-name>?api-version=2022-03-01"

Check the deployment Settings in the response.

4.Revalidate Configuration

Ensure the deployment token matches the one from the Azure portal.

Confirm the repository and branch align in both Azure and your GitHub workflow YAML file.
Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-10T07:03:43.9733333+00:00

Hi @David Wolfson
Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

David Wolfson 0

Update Syntax: yes, this is the syntax I used. (I note that you're codeblock is marked as 'Dockerfile', but I am using CLI as this is not Dockerized.)
I am using Cloudshell for this through the Azure Portal:

$ az version
{
  "azure-cli": "2.65.0",
  "azure-cli-core": "2.65.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "ai-examples": "0.2.5",
    "ml": "2.30.1",
    "ssh": "2.0.5"
  }
}
$ az upgrade
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Your current Azure CLI version is 2.65.0. Latest version available is 2.67.0.
Please check the release notes first: https://docs.microsoft.com/cli/azure/release-notes-azure-cli
Do you want to continue? (Y/n): Y
Not able to upgrade automatically. Instructions can be found at https://aka.ms/doc/InstallAzureCli
CLI upgrade failed or aborted.

Retrieve Deployment Settings via REST API: The outpu from this does include the setting and confirms that it is set to github:

"deploymentAuthPolicy":"GitHub"

Revalidate Configuration The tokens are correct - I need a way to change that policy from Github to Token... Is this possible directly on the REST API rather than using az?

Laxman Reddy Revuri 3,655 Microsoft External Staff

Hi @David Wolfson
REST API approach to change the deployment authentication policy from GitHub to Token.
Get Access Token

ACCESS_TOKEN=$(az account get-access-token --query accessToken -o tsv)
 
# Subscription Details (replace with your actual values)
SUBSCRIPTION_ID="your-subscription-id"
RESOURCE_GROUP="your-resource-group"
STATIC_WEB_APP_NAME="your-static-web-app-name"
 
# REST API Call to Update Deployment Authentication Policy
curl -X PATCH \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "properties": {
      "deploymentAuthPolicy": "Token"
    }
  }' \
  "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$STATIC_WEB_APP_NAME?api-version=2022-03-01"

Uses PATCH method to modify specific properties.

Sets deploymentAuthPolicy to "Token".

Requires full replacement of placeholders with your actual Azure resource details.

David Wolfson 0

Thanks - I needed slightly different syntax (DeploymentToken):

curl -X PATCH -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"properties": {"deploymentAuthPolicy": "DeploymentToken"}}' "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$STATIC_WEB_APP_NAME?api-version=2022-03-01"

and still got an error on response looking now for a repository token:

{
  "Code": "BadRequest",
  "Message": "DeploymentAuthPolicy is invalid.  Cannot update policy without providing repository token.",
  "Target": null,
  "Details": [
    {
      "Message": "DeploymentAuthPolicy is invalid.  Cannot update policy without providing repository token."
    },
    { "Code": "BadRequest" },
    {
      "ErrorEntity": {
        "ExtendedCode": "51021",
        "MessageTemplate": "{0} is invalid.  {1}",
        "Parameters": [
          "DeploymentAuthPolicy",
          "Cannot update policy without providing repository token."
        ],
        "Code": "BadRequest",
        "Message": "DeploymentAuthPolicy is invalid.  Cannot update policy without providing repository token."
      }
    }
  ],
  "Innererror": null
}

I may not be able to provide this from within the organisation but will see what I can do.

Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-23T00:49:10.4+00:00
Hi @David Wolfson

Requirement of repositoryToken:

Azure uses the repositoryToken to authenticate and link your app to the source control repository.

When switching to DeploymentToken policy, the token ensures secure access for deployments.

Missing repositoryToken in Request:

The JSON payload you sent doesn’t include the required repositoryToken parameter, leading to the error.
To resolve this issue, kindly include a valid repositoryToken (for example, a GitHub Personal Access Token - PAT) in your request,
SUBSCRIPTION_ID="your-subscription-id"

RESOURCE_GROUP="your-resource-group"

STATIC_WEB_APP_NAME="your-static-web-app-name"

REPOSITORY_TOKEN="your-repository-token"

curl -X PATCH \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "properties": { "deploymentAuthPolicy": "DeploymentToken", "repositoryToken": "'"$REPOSITORY_TOKEN"'" } }' \ "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$STATIC_WEB_APP_NAME?api-version=2022-03-01"

1 answer

Your answer

Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-02T17:04:49.3533333+00:00

Hi @David Wolfson
Thanks for the question and using MS Q&A platform.
Open your Azure Static Web App.

In the left-hand menu, select Settings and then choose Configuration.

Update Deployment Authorization Policy

In the Deployment Configuration section, you will find the Deployment Authorization Policy.

If these options appear greyed out, it could be due to the current settings. To enable the options, you may need to:

Temporarily disconnect the GitHub repository.

Reconnect it to enable editing of the settings.
https://learn.microsoft.com/en-us/cli/azure/staticwebapp?view=azure-cli-latest#az-staticwebapp-disconnect
Although there is no direct Azure CLI command for changing the deployment authorization policy, you can update the deployment token with the following command:

az staticwebapp secrets update --name <your-static-web-app-name> --resource-group <your-resource-group> --api-token <your-deployment-token>

Reset deployment tokens in Azure Static Web Apps | Microsoft Learn

Update the GitHub Actions Workflow

Open the GitHub Actions workflow file (typically named azure-static-web-apps-<RANDOM_NAME>.yml).

Ensure the file is updated with the new repository details and deployment token.

Reference:
Build configuration for Azure Static Web Apps | Microsoft Learn

Authenticate and authorize Static Web Apps | Microsoft Learn

Deploy a static web app with Azure Static Web Apps CLI | Microsoft Learn

I hope this information is helpful.
David Wolfson 0 Reputation points

2024-12-03T14:55:00.51+00:00

duplicate
David Wolfson 0 Reputation points

2024-12-03T15:00:32.12+00:00

@Laxman Reddy Revuri thanks for the suggestion.

When I disconnected the source the configuration option to change the Deployment Authorization Policy was not available. I then went on to reconnect using updated syntax from the az staticwebapp update docs:

az staticwebapp update --name <your-static-web-app-name> --resource-group <your-resource-group> --token <your-deployment-token>

Although the token was updated in the configuration, the policy was still set to GitHub, so this approach has not worked.
Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-04T16:43:45.85+00:00

Hi @David Wolfson
Apologize for any inconvenience caused on this.
Verify Azure CLI Syntax:

The command you used, az staticwebapp update, is correct for updating certain static web app configurations. However, this does not directly switch the deployment authorization policy.

Ensure that the deployment token is valid and properly scoped.

Reset the Deployment Token in Azure Portal:

Navigate to the Azure Static Web Apps service in the portal.

Go to Settings → Secrets.

Reset the Deployment Token manually.

Once reset, ensure the token is used in your workflow YAML file.

Reconnect the Repository Properly:

Disconnecting and reconnecting the repository should allow you to modify the Deployment Authorization Policy.

If the option remains unavailable:

Use the Azure CLI to disconnect and reconnect:

az staticwebapp disconnect --name <your-static-web-app-name> --resource-group <your-resource-group>

az staticwebapp update --name <your-static-web-app-name> --resource-group <your-resource-group> --source <source-url> --token <your-deployment-token>

Check Current Policy:
You can query the current deployment settings using the Azure CLI

az staticwebapp show --name <your-static-web-app-name> --resource-group <your-resource-group>

Look for the deploymentSettings property to confirm if the deployment mode is correctly set.

YAML Workflow Configuration:

Make sure the GitHub Actions workflow file (azure-static-web-apps-<RANDOM_NAME>.yml) includes the updated token.

If you’re not sure about the placement, it typically appears in the env or secrets section of the file:

AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.STATIC_WEB_APP_TOKEN }}

Verify GitHub Configuration:

Confirm that the repository and branch referenced in the Azure portal match those in your workflow file.
David Wolfson 0 Reputation points

2024-12-05T11:42:40.87+00:00

I have followed these steps, and the policy is not still unchanged. Two things to note:

the update CLI command also required the --branch to be set

the show CLI command does not include the deploymentSettings (see screenshot)
Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-06T16:22:35.6033333+00:00

Hi @David Wolfson
1.Correct Azure CLI Syntax
Ensure you use the right command with --branch included:

az staticwebapp update \ --name <your-static-web-app-name> \ --resource-group <your-resource-group> \ --source <source-url> \ --token <your-deployment-token> \ --branch <your-branch-name>

2.Check and Update Azure CLI Version Verify your Azure CLI version:

az version

If outdated, update it:

az upgrade

3.Retrieve Deployment Settings via REST API
If deploymentSettings is missing in az staticwebapp show:

Get Access Token:

az account get-access-token --query accessToken -o tsv

Call the REST API:

curl -X GET \ -H "Authorization: Bearer <access-token>" \ "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/staticSites/<static-web-app-name>?api-version=2022-03-01"

Check the deployment Settings in the response.

4.Revalidate Configuration

Ensure the deployment token matches the one from the Azure portal.

Confirm the repository and branch align in both Azure and your GitHub workflow YAML file.
Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-10T07:03:43.9733333+00:00

Hi @David Wolfson
Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
David Wolfson 0 Reputation points

2024-12-11T09:41:34.95+00:00

Update Syntax: yes, this is the syntax I used. (I note that you're codeblock is marked as 'Dockerfile', but I am using CLI as this is not Dockerized.)

I am using Cloudshell for this through the Azure Portal:

$ az version { "azure-cli": "2.65.0", "azure-cli-core": "2.65.0", "azure-cli-telemetry": "1.1.0", "extensions": { "ai-examples": "0.2.5", "ml": "2.30.1", "ssh": "2.0.5" } } $ az upgrade This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus Your current Azure CLI version is 2.65.0. Latest version available is 2.67.0. Please check the release notes first: https://docs.microsoft.com/cli/azure/release-notes-azure-cli Do you want to continue? (Y/n): Y Not able to upgrade automatically. Instructions can be found at https://aka.ms/doc/InstallAzureCli CLI upgrade failed or aborted.

Retrieve Deployment Settings via REST API: The outpu from this does include the setting and confirms that it is set to github:

"deploymentAuthPolicy":"GitHub"

Revalidate Configuration The tokens are correct - I need a way to change that policy from Github to Token... Is this possible directly on the REST API rather than using az?
Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-16T16:04:19.3+00:00

Hi @David Wolfson
REST API approach to change the deployment authentication policy from GitHub to Token.
Get Access Token

ACCESS_TOKEN=$(az account get-access-token --query accessToken -o tsv) # Subscription Details (replace with your actual values) SUBSCRIPTION_ID="your-subscription-id" RESOURCE_GROUP="your-resource-group" STATIC_WEB_APP_NAME="your-static-web-app-name" # REST API Call to Update Deployment Authentication Policy curl -X PATCH \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "properties": { "deploymentAuthPolicy": "Token" } }' \ "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$STATIC_WEB_APP_NAME?api-version=2022-03-01"

Uses PATCH method to modify specific properties.

Sets deploymentAuthPolicy to "Token".

Requires full replacement of placeholders with your actual Azure resource details.
David Wolfson 0 Reputation points

2024-12-18T16:50:14.74+00:00

Thanks - I needed slightly different syntax (DeploymentToken):

curl -X PATCH -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"properties": {"deploymentAuthPolicy": "DeploymentToken"}}' "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$STATIC_WEB_APP_NAME?api-version=2022-03-01"

and still got an error on response looking now for a repository token:

{ "Code": "BadRequest", "Message": "DeploymentAuthPolicy is invalid. Cannot update policy without providing repository token.", "Target": null, "Details": [ { "Message": "DeploymentAuthPolicy is invalid. Cannot update policy without providing repository token." }, { "Code": "BadRequest" }, { "ErrorEntity": { "ExtendedCode": "51021", "MessageTemplate": "{0} is invalid. {1}", "Parameters": [ "DeploymentAuthPolicy", "Cannot update policy without providing repository token." ], "Code": "BadRequest", "Message": "DeploymentAuthPolicy is invalid. Cannot update policy without providing repository token." } } ], "Innererror": null }

I may not be able to provide this from within the organisation but will see what I can do.
Laxman Reddy Revuri 3,655 Reputation points Microsoft External Staff

2024-12-23T00:49:10.4+00:00

Hi @David Wolfson

Requirement of repositoryToken:

Azure uses the repositoryToken to authenticate and link your app to the source control repository.

When switching to DeploymentToken policy, the token ensures secure access for deployments.

Missing repositoryToken in Request:

The JSON payload you sent doesn’t include the required repositoryToken parameter, leading to the error.
To resolve this issue, kindly include a valid repositoryToken (for example, a GitHub Personal Access Token - PAT) in your request,
SUBSCRIPTION_ID="your-subscription-id"

RESOURCE_GROUP="your-resource-group"

STATIC_WEB_APP_NAME="your-static-web-app-name"

REPOSITORY_TOKEN="your-repository-token"

curl -X PATCH \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "properties": { "deploymentAuthPolicy": "DeploymentToken", "repositoryToken": "'"$REPOSITORY_TOKEN"'" } }' \ "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$STATIC_WEB_APP_NAME?api-version=2022-03-01"

Answer 1

David Wolfson 0

Organisational rules mean that I'm not able to set up a repository token, so I will not be able to resolve this.

Thanks for the support.

Share via

Change Deployment configuration option in Static Web App

1 answer

Your answer