Get Azure Function keys from an Azure Function at deployment time?

Question

I'm sending an email in Azure Functions using the SendGrid bindings. As part of the contents of that email, I'd like to include a link to one of the HTTP methods in the Azure Functions instance for more information. I have all my HTTP functions secured with AuthorizationLevel.Function.

I've seen a solution for scraping the keys from ARM and Kudu in PowerShell (and this one) and a solution to output the keys with just ARM, but these both rely on having something my Azure Functions do not: permissions to the ARM (Azure Resource Management) APIs.

I also found the Key management APIs for the Azure Functions host which works exactly as I want locally, but I don't know how to get past the 401 Unauthorized once the Azure Functions are deployed. I can get past it manually with the _master function key, but then I'm back to not knowing how to get that key at runtime.

The question is this: Is it possible to get the key for an Azure Function at runtime from the Azure Function Host somehow? I would very much prefer to not need ARM permissions to do that.

Answer 1

try the following two steps:

1. get the host master key:

   GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourcegroupName}/providers/Microsoft.Web/sites/{functionApp}/functions/admin/masterkey?api-version=2016-08-01
   

2. Get the function keys:

   GET https://{functionApp}.azurewebsites.net/admin/functions/{functionName}/keys?code={masterKeyFromStep1}
   

response from the step 2:

    {
      "keys": [
        {
          "name": "default",
          "value": "xxxxxxxxxxxxxxxxxxxxxx"
        }
      ],
      "links": [
        {
          "rel": "self",
          "href": "https://myFncApp.azurewebsites.net/admin/functions/myFunction/keys"
        }
      ]
 }

Update:

Note, that the step 1 requires an authorization header in the format:

Authorization: Bearer bearerToken

where a bearerToken string can be obtained from Azure Active Directory (AAD), see the following code snippet of the example:

    private string AccessToken(string clientID)
    {
        string redirectUri = "https://login.live.com/oauth20_desktop.srf";
        authContext = new AuthenticationContext("https://login.windows.net/common/oauth2/authorize", TokenCache.DefaultShared);
        var ar = authContext.AcquireTokenAsync("https://management.azure.com/", clientID, new Uri(redirectUri), new PlatformParameters(PromptBehavior.SelectAccount)).Result;
        return ar.AccessToken;
    }

Note, that the clientID is the quid of your registered application in the AAD with an API access permission for Windows Azure Service Management API.

Answer 2

Powershell way:

$funcKey = (Invoke-AzResourceAction `
    -Action listKeys `
    -ResourceType 'Microsoft.Web/sites/functions/' `
    -ResourceGroupName $resourceGroup `
    -ResourceName "$funcAppName/$funcName" `
    -Force).default