Retrieve the host keys from an azure function app

Question

I am trying to script an environment using the Azure cli. I have created a few function apps and would like to add a host key or at least retrieve the default one that is created automatically. The azure cli has no support at all for this.

There seems to be an api (documentation for it seems to be sparse) on the function itself that allows me to get the keys, however you need a key to use it so.. no help there.

https://github.com/Azure/azure-webjobs-sdk-script/wiki/Key-management-API

Eg: https://example-functions.azurewebsites.net/admin/host/keys?code=somecodeyoualreadyknow

I have seen some other examples that use the webapps scm api to download the json file that contains the keys however I'm not sure how to authenticate with this API. I have a service principal (userid, password, tenantid) and I was hoping to not have to add another authentication scheme to my script.

Answer 1

If you just want to get the keys and don't need to automate the authentication process:

Get-AzResource -Name RESOURCE-NAME | Invoke-AzResourceAction -Action host/default/listkeys -Force

Answer 2

I was just able to make this work with the Azure CLI using this command:

az rest --method post --uri \
"/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/sites/$FUNCTION_APP_NAME/host/default/listKeys?api-version=2018-11-01" \
--query functionKeys.default --output tsv

I realize this is a couple years late on the answer, but it might help people who are searching now.

Answer 3

Here are the steps.

1. Assuming you already have your Kudu deployment credentials. (it sounds like you already know how to do this. You can get it via an ARM call from your service principle, etc)
2. From kudu deployment creds, you can get a JWT that lets you call the Functions key API.
3. From the Functions API, you can get all your keys (including your master).

Here's a powershell script that demonstrates the exact calls to go from Kudu deployment creds to Function Master key:

# You need to start with these:
$site = "YourSiteName"
$username='YourDeploymentUserName'
$password='YourDeploymentPassword'

# Now... 
$apiBaseUrl = "https://$($site).scm.azurewebsites.net/api"
$siteBaseUrl = "https://$($site).azurewebsites.net"

# For authenticating to Kudu
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))


# Call Kudu /api/functions/admin/token to get a JWT that can be used with the Functions Key API 
$jwt = Invoke-RestMethod -Uri "$apiBaseUrl/functions/admin/token" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method GET

# Call Functions Key API to get the master key 
$x = Invoke-RestMethod -Uri "$siteBaseUrl/admin/host/systemkeys/_master" -Headers @{Authorization=("Bearer {0}" -f $jwt)} -Method GET

$masterKey = $x.value