Grant write permissions to IIS on AWS Elastic Beanstalk

Grant write permissions to IIS on AWS Elastic Beanstalk

This article explains how to provide ASP.NET Core applications write access to specific folders in IIS App Pool. When using AWS Beanstalk, this is necessary for apps to operate properly.

The problem

User Content and files are often written to the wwwroot or any other specific folder by ASP.NET Core apps. SQL Server Compact (.mdf), XML files, text files, and other similar files are examples of such files. As a result, when hosting an ASP.NET Core site, the AppPool in which the application or website runs must have write access to the folder where we want to write files.

When we host an ASP.NET Core application on AWS Elastic Beanstalk, we don't have direct access to the application's file system. However, AWS has config files that can be used to provide permission to certain directories.

The error looks something like this:

System.UnauthorizedAccessException: Access to the path 'C:\inetpub\AspNetCoreWebApps\app\xxx\xxx' is denied

The Solution

  1. Create a top-level folder called .ebextensions in your Visual Studio project.
  2. Create a configuration file called <ApplicationName>.config inside .ebextensions folder, where <ApplicationName> is the name of your AWS application hosted on Elastic Beanstalk.
  3. YAML script or JSON can be used in the configuration file. AWS attempts to parse the file using the YAML parser first, and if that fails, it attempts to parse it using the JSON parser. If both parsing attempts fail, the deployment is canceled, and the error is shown in the Elastic Beanstalk application console log.
  4. Add the following JSON code to the config file.
{
  "container_commands": {
    "01": {
      "command": "icacls \"C:/inetpub/AspNetCoreWebApps\" /grant DefaultAppPool:(OI)(CI)F"
    }
  }
}

The container_commands execute commands that affect your application source code. Container commands run after the application and web server have been set up and the application version archive has been extracted, but before the application version is deployed. Non-container commands and other customization operations are performed prior to the application source code being extracted.

Container commands are run from the staging directory, where your source code is extracted prior to being deployed to the application server. Any changes you make to your source code in the staging directory with a container command will be included when the source is deployed to its final location.

That is why we have to use the icacls command pointing to C:\inetpub\AspNetCoreWebApps only because C:\inetpub\AspNetCoreWebApps\app\xxx\xxx folder is not created at the time of executing this command as it runs in the staging directory.

Once "icacls "C:/inetpub/AspNetCoreWebApps" /grant DefaultAppPool:(OI)(CI)F" executes in C:/inetpub/AspNetCoreWebApps folder, the write permission will be granted to all the subfolders inside it.

This script will be executed and Full access will be given to the folder for DefaultAppPool when this project is published to AWS Elastic Beanstalk. If you're using a custom AppPool, replace DefaultAppPool with the custom AppPool name in the script.