Deployment credentials for Windows Azure Web services

When it comes to Windows Azure I always comment their UI and the simplicity of some of the operations provided by Microsoft.

When deploying a website though there is something that although seems simple enough it may not be what everyone thinks when uses it for the first time. That is the Deployment Credentials.

I found an excellent wiki from which I will replicate here.

A quick idea…

There are the User-level credentials and Site-level credentials. What you see on the right corner is User-level! These are chosen by us and are tied to OUR Live ID < the one connected at Azure portal at that time> and not not! NOT! <yes 3 times> to a particular web site. The UI here is a bit confusing. These are not credentials that you need to change each time… Did it 2-3 times… wrong! finally found out why…

Deployment credentials

There are three different ways to publish files to an Azure Web Site:

  • git: the main topic of this wiki, and what the Kudu project is all about!
  • Web Deploy (also known as MSDeploy)
  • FTP

When it comes to authenticating with these three mechanisms, you cannot use your Live ID credentials (which the protocols can’t easily support), but instead need to use deployment credentials.

To make things more interesting, there are actually two sets of deployment credentials that you can use to publish. This page discusses the two alternatives.

User-level credentials

These are the credentials that you choose yourself in the Azure portal. If you’re not sure what they are, you can reset them by going to the Dashboard tab for any site and clicking ‘Reset deployment credentials’ (under quick glance).

These credentials are directly tied to a Live ID, and not to a particular web site.

This needs to be emphasized, because the Azure portal UI is a bit confusing, as you need to go under a specific site on order to change them. But changing them under one site affects all of them!

Note that when an Azure subscription has multiple admins/co-admins, each person has their own set of credentials, since they each have a different Live ID.

In other words, user-level credentials are never meant to be shared among different users.

One key point about the user-level credentials is that since you specifically set them, they are meant to be memorized, and directly typed by the user when needed (e.g. when doing a git push).

Site-level credentials

These are the credentials that are automatically generated for each site. In order to see them, you need to download the ‘publish profile‘, which you can do in the Dashboard tab of a site just above the ‘Reset deployment credentials’ link we discussed above.

The publish profile is an XML file that contains both WebDeploy and FTP related things. If you glance in there, you will easily locate the credentials. They look like:

Username: if your site is named ‘MyCoolSite’, the user name will be ‘$MyCoolSite’
Password: some long random string

Note that the multi co-admins scenario does not affect those credentials.

All the admins/co-admins will end up with the exact same site-level credentials for a given site (but each site has different ones of course).

And unlike User lever credentials, the site-level credentials are definitely not meant to be memorized (though you’re welcome to try!). Instead, they’re meant to be used by programs that automates deployment for you (like WebMatrix).

They can also be useful when a subscription owner wants to allow an external party to publish to just one site while having no access to the others.

When to use which set of credentials

Typically, you use the user-level credentials for git and FTP, and the site-level credentials for Web Deploy. However, you can use both sets of credentials for all three publishing techniques.

So why would you want to use the big random site-level credentials when doing a git push? Well, you wouldn’t. However, there can be scenarios where a tool needs to do this on your behalf, and using the site-level credentials can make a lot of sense there.

Also, note that when it comes to credentials, everything that mentions git applies equally to all entry points provided by the Kudu service.

Important note about the FTP username

Whether you use user-level or site-level credentials, note that you need to prepend the site name to the username you use for FTP. So you’d have FTP full user names that look like this:

With user-level credentials: MyCoolSite\davidebbo
With site-level credentials: MyCoolSite\$MyCoolSite


George Psistakis

I love technology and working with people. That is why I am trying to offer as much as I can at the local startup ecosystem and at the same time building Apirise. A platform to reduce time and effort required to integrate and maintain APIs. Simply, fast and efficiently!
I am co-organizer of the Agile Greece and API Athens meetups and I contribute at the Developer Economics Blog.

Discuss with me…

I’d love to know your ideas and thoughts on this post.
Connect with me on Twitter or Google+


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s