The Architect Zone

The Ultimate Reference for Architects

Granting write access to ASP.NET apps hosted on AWS Beanstalk

ASP.NET applications and websites usually write user content and files in the App_Data folder. Examples of such files could be SQL Server compact (.mdf), Xml files, text files, etc. Therefore, when an ASP.NET site is hosted, the AppPool under which the application or website runs must have write permissions on the App_Data folder.

When an ASP.NET application is hosted on AWS Beanstalk, we do not have direct access to the file system of the application. But AWS provides a way to grant permission on specific folders through config files.

Step 1

Add a top-level folder to your Visual Studio project and name it '.ebextensions'

Step 2

Add a file named <ApplicationName>.config where <ApplicationName> is the name of your AWS application

Step 3

The config file can either contain YAML script or Json. AWS first tries to parse the file using YAML parser, if the parsing fails, then it tries to parse it using Json parser. If both parsing fails, the deployment is aborted and you can see the error in the log in your Beanstalk application console.

Step 4

Add the following YAML code to the config file:

If your project is a web site hosted on Default Web Site/, use this script

    command: "icacls C:\\inetpub\\wwwroot\\App_Data /grant DefaultAppPool:(OI)(CI)F"


Or if your Visual Studio project is a web project hosted under a Virtual Directory, use this script

    command: "icacls C:\\inetpub\\wwwroot\\<MyApp>\\App_Data /grant DefaultAppPool:(OI)(CI)F"

Replace <MyApp> with your Visual Studio Project name (not Solution name)

When this project is deployed to AWS Beanstalk using Visual Studio Tools for AWS add-in, this script will be executed and Full permission will be granted on the folder for DefaultAppPool. If you're using a custom AppPool, use the custom AppPool name instead of DefaultAppPool in the script.

A detailed description of the icacls utility can be found here.

Comments are closed