Skip to content
Latchkey

Azure Functions Core Tools "publish ... 401 Unauthorized" in CI

func publish uploads the package to the Kudu/SCM endpoint of the function app, which requires authentication. A 401 means no valid login session or publish credential was available when the upload ran.

What this error means

func azure functionapp publish fails with "Error: Status: 401 Unauthorized" or "Unauthorized" when pushing the zip to the SCM endpoint.

func
Getting site publishing info...
Creating archive for current directory...
Uploading ...
Error: Status: 401 Unauthorized.

Common causes

No Azure login session for Core Tools

func relies on an active az login (or publish credentials). Without a valid session, the SCM upload is rejected with 401.

Basic auth (SCM credentials) is disabled

If basic authentication is turned off on the function app, password-based publish fails and an identity-based login is required.

How to fix it

Log in before publishing

  1. Run azure/login (or az login with a service principal) before func.
  2. Then run func publish so it inherits the session.
  3. Confirm the upload succeeds.
Terminal
az login --service-principal -u "$AZURE_CLIENT_ID" \
  -p "$AZURE_CLIENT_SECRET" --tenant "$AZURE_TENANT_ID"
func azure functionapp publish my-func-app

Use the functions-action with a publish profile

If basic auth is enabled, deploy with the official action and a publish-profile secret instead.

.github/workflows/ci.yml
- uses: Azure/functions-action@v1
  with:
    app-name: my-func-app
    publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }}

How to prevent it

  • Authenticate (az login or publish profile) before any func publish.
  • Know whether basic auth is enabled; if not, use identity-based deploy.
  • Keep publish credentials in CI secrets and rotate them.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →