listKeys for Azure function app

Question

How do I list the keys of an azure function app using the listKeys ARM function?

My template:

 {
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "resources": [],
    "outputs": {
        "referenceOutput": {
            "type": "object",
            "value": "[listkeys(resourceId('Microsoft.Web/sites/functions', 'my-function-app','my-function'),'2016-08-01').key]"
        }
    }

And then run with:

az group deployment create -g my-rg --template-file ./arm.json --mode incremental

Error:

No route registered for '/api/functions/my-function/listkeys?api-version=2016-08-01'

Answer 1

Try following template.

  "outputs": {
    "FunctionAppName": {
        "type": "string",
        "value": "[parameters('functionName')]"
    },
    "Key": {
        "type": "string",
        "value": "[listsecrets(resourceId('Microsoft.Web/sites/functions', parameters('existingFunctionAppName'), parameters('functionName')),'2015-08-01').key]"
    },        
    "Url": {
        "type": "string",
        "value": "[listsecrets(resourceId('Microsoft.Web/sites/functions', parameters('existingFunctionAppName'), parameters('functionName')),'2015-08-01').trigger_url]"
    }        
}

More information about this please refer to this question.

You also could use Function App Api to list this.

GET /admin/functions/{functionname}/keys

If you use bash shell, you could use the following example.

TENANT=""
CLIENT_ID=""
CLIENT_SECRET=""
SUBSCRIPTION_ID=""
RESOURCE_GROUP="shuiapp"
FUNCTION_APP_NAME="shuifunction"
API_URL="https://$FUNCTION_APP_NAME.scm.azurewebsites.net/api/functions/admin/token"
SITE_URL="https://$FUNCTION_APP_NAME.azurewebsites.net/admin/functions/HttpTriggerPowerShell1/keys"

### Grab a fresh bearer access token.
ACCESS_TOKEN=$(curl -s -X POST -F grant_type=client_credentials -F resource=https://management.azure.com/ -F client_id=$CLIENT_ID -F client_secret=$CLIENT_SECRET https://login.microsoftonline.com/$TENANT/oauth2/token | jq '.access_token' -r)

### Grab the publish data for the Funciton App and output it to an XML file.
PUBLISH_DATA=$(curl -s -X POST -H "Content-Length: 0" -H "Authorization: Bearer $ACCESS_TOKEN" https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/sites/$FUNCTION_APP_NAME/publishxml?api-version=2016-08-01)
echo $PUBLISH_DATA > publish_data.xml

### Grab the Kudu username and password from the publish data XML file.
USER_NAME=$(xmlstarlet sel -t -v "//publishProfile[@profileName='$FUNCTION_APP_NAME - Web Deploy']/@userName" publish_data.xml)
USER_PASSWORD=$(xmlstarlet sel -t -v "//publishProfile[@profileName='$FUNCTION_APP_NAME - Web Deploy']/@userPWD" publish_data.xml)

### Generate a JWT that can be used with the Functions Key API.
JWT=$(curl -s -X GET -u $USER_NAME:$USER_PASSWORD $API_URL | tr -d '"')

### Grab the '_master' key from the Functions Key API.
KEY=$(curl -s -X GET -H "Authorization: Bearer $JWT" $SITE_URL | jq -r '.value')

Answer 2

This approach for retrieving keys appears to be an issue right now per an announcement on Azure Wiki.

I have had luck using a scripted version that is built around a call similar to this:

az rest --method post --uri "/subscriptions/%subscriptionId%/resourceGroups/%resourceGroup%/providers/Microsoft.Web/sites/%webAppName%/host/default/listKeys?api-version=2018-11-01" --query functionKeys.default --output tsv

The original blog post that I got this info from is here.