NFS Permission Denied in Azure App Service on Linux: What It Means and What to Do

If your Azure App Service on Linux uses an Azure Files NFS share, you may sometimes see errors like Permission denied or Errno 13 when your app tries to write to the mounted path. Azure Files supports NFS for Linux and Unix workloads, and NFS uses Unix-style numeric ownership and permissions (UID/GID), which can behave differently from SMB-based file sharing.

Overview

This post is for customers using Azure App Service on Linux together with an Azure Files NFS share for persistent storage. Azure Files NFS is designed for Linux and Unix-style workloads, supports POSIX-style permissions, and does not support Windows clients or NFS ACLs.

In this setup, a write failure does not always mean the file is corrupted. Sometimes it means the file ownership seen by the running app no longer matches the identity context currently used to access the NFS share. In containerized Linux environments, user IDs inside a container can be mapped differently outside the container, and Docker documents that this can affect access to host-mounted resources.

Common signs

You may notice:

• Permission denied
• Errno 13
• your app can read files but cannot update or overwrite them
• file ownership looks different than expected when you inspect the mounted path

These symptoms are consistent with how NFS handles Unix-style ownership and permissions. Azure documents that NFS permissions are enforced through the operating system and NFS model rather than SMB-style user authentication.

Why this can happen

At a high level, NFS uses numeric ownership such as UID and GID. In container-based Linux environments, the identity that appears inside the container is not always the same as the identity seen outside the container. Docker’s user namespace documentation explains that a container user such as root can be mapped to a less-privileged user on the host, and that mounted-resource access can become more complex because of that mapping.

That means a file created earlier under one effective identity context may later be accessed under a different one. When that happens, the app may no longer be able to write to the file even though the file itself is still present and intact.

What to check first

Start by checking the mounted share from the app’s runtime context.

ls -l /mount/path/file
ls -ln /mount/path/file
id -u
id -g

The ls -ln output is especially useful because it shows the numeric UID and GID directly. If you need shell access for investigation, App Service supports SSH into Linux containers, and Microsoft notes that Linux custom containers may need extra SSH configuration.

You should also review the NFS share’s squash setting. Azure Files NFS supports No Root Squash, Root Squash, and All Squash. Microsoft documents these options in the root squash guidance.

A practical mitigation

If the main issue is inconsistent ownership behavior, a practical mitigation is often to use All Squash on the NFS share. Azure documents All Squash as a supported NFS setting, and squash settings are specifically intended to control how client identities are handled when they access the share.

One important note: changing the squash setting does not automatically rewrite old files. If existing data was created under a different ownership context, you may still need to migrate that data to a new share configured the way you want.

Recommended approach

A simple and cautious approach is:

1. Create a new Azure Files NFS share.
2. Configure it with All Squash if that matches your workload needs.
3. Mount both the old share and the new share on a Linux environment.
4. Copy the data from old to new.
5. Validate that the app can read and write correctly.
6. Repoint production to the validated share.

Azure Files supports NFS shares and squash configuration, and Azure also documents how to mount NFS shares on Linux if you need a separate environment for validation or migration.

Final takeaway

If your App Service on Linux starts hitting NFS permission denied errors, focus first on ownership, UID/GID behavior, and squash settings before assuming the files are damaged. For many users, the most effective path is to validate the current ownership model, review the NFS squash setting, and, if needed, migrate data to a share configured with All Squash.

References

• NFS file shares in Azure Files | Microsoft Learn
• Configure Root Squash Settings for NFS Azure File Shares | Microsoft Learn
• SSH Access for Linux and Windows Containers - Azure App Service | Microsoft Learn
• Isolate containers with a user namespace | Docker Docs