Container File Permissions in Windows Container

Question

I've got a Windows Docker container (microsoft/aspnet) that is hosting a simple Web API. The web API accepts files from a form, saves them in a temp folder, does some processing, and then returns the result.

This works fine when deployed locally, but when done in my Docker container, I get a file permissions error on my temp folder (App_Data).

Is there a way to grant the IIS user the code is running as access to this file, or to open up the folder to any user for read/write access?

Current Docker file is below:

FROM microsoft/aspnet

COPY ./Deploy/ /inetpub/wwwroot

RUN mkdir /inetpub/wwwroot/App_Data 

Error message snippet I get running API from docker image:

"InnerException":{"Message":"An error has occurred.","ExceptionMessage":"Access to the path 'C:\\inetpub\\wwwroot\\App_Data\\BodyPart_481b6424-f9a5-4608-894d-406145a48445' is denied.","ExceptionType":"System.UnauthorizedAccessException"

It looks like there is a bug open on the aspnet-docker github about this same issue. [link]

In the meantime, it looks like running cacls App_Data /G IIS_IUSRS:F after starting the container fixes the issue temporarily.

Answer 1

Unclear why, but cacls doesn't seem to be working when run as part of building the container. Switched to using icacls, and was able to grant the IIS_USRS permissions on the folder.

Line added to dockerfile:

RUN icacls 'C:\inetpub\wwwroot\App_Data' /grant 'IIS_IUSRS:(F)'

Answer 2

I can't comment as I don't have enough reputation, but if the answer by @Darendal doesn't work (which it did not for me), then try this syntax

RUN icacls C:\inetpub\wwwroot\App_Data /grant "BUILTIN\IIS_IUSRS:(OI)(CI)F" /t