Get the default Azure Function key with PowerShell

In my current project I use Octopus deployment to deploy my Azure Web App and Function. The Azure Web App calls the Azure Function by its web hook (or Function Url). However, when both components are deployed in the same Octopus deployment process, how can you configure the function Url? In this post I’ll describe what I have used to get it all configured and working.

Function Url and Keys

When you navigate to your function you can grab your Function Url from there.

image

If the authorization level is set to Function or Admin, this Url contains also a code. This is the API key to access and execute the function. By default, the level is set to Function. This API key is then generated per function.

https://ocha-fa-gp-dev-we.azurewebsites.net/api/ProcessAnalyticsData?code=j87EFDIw0uHN/sl8cmHMdzsLTFrR/gS6HqvnNB6UuH3arv7NqN3zjw==

If your function gets created during deployment (like my scenario while deploying with Octopus), that code is not known. And you need this Url for your web app.

Host Keys

When you create your Azure Function App (basically a container for all your functions), several host keys are available. These keys are shared by ALL functions within your function app.

image

Since the default Authorization level is set to Function, we should use the default host key.

PowerShell Scripts

In my previous post about Kudu API and PowerShell I described how to get access your web app. For accessing Function Apps it is quite the same.

function Get-KuduApiAuthorisationHeaderValue($resourceGroupName, $webAppName){

    $publishingCredentials = Get-PublishingProfileCredentials $resourceGroupName $webAppName

    return ("Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $publishingCredentials.Properties.PublishingUserName, $publishingCredentials.Properties.PublishingPassword))))
}


$accessToken = Get-KuduApiAuthorisationHeaderValue $resourceGroupName $webAppname

 

With the access token we can now call the Function APIs to get the host keys:

function Get-MasterAPIKey($kuduApiAuthorisationToken, $webAppName ){

    $apiUrl = "https://$webAppName.scm.azurewebsites.net/api/functions/admin/masterkey"
    
    $result = Invoke-RestMethod -Uri $apiUrl -Headers @{"Authorization"=$kuduApiAuthorisationToken;"If-Match"="*"} 
    
    return $result`
}

function Get-HostAPIKeys($kuduApiAuthorisationToken, $webAppName, $masterKey ){

    $apiUrl = "https://$webAppName.azurewebsites.net/admin/host/keys?code=$masterKey"
 
    $result = Invoke-WebRequest $apiUrl
    
    return $result`
}

$adminCode = Get-MasterAPIKey $accessToken $webAppname

Write-Host "masterKey = " $adminCode.Masterkey

$result = Get-HostAPIKeys $accessToken $webAppname $adminCode.Masterkey

$keysCode =  $result.Content | ConvertFrom-Json

Write-Host "default Key = " $keysCode.Keys[0].Value

First we need the master key and with that master key we can get the other host keys. Once you have the API key value you can use it in your deployment process. In my case I need to configure this in Octopus in advance.

Kudos to my colleague Frans van Rijn who helped me sorting this out.

Share

4 thoughts on “Get the default Azure Function key with PowerShell

  1. Patrick

    Just wanted to say thanks very much for this! Was trying to figure it out with regular AzureRM PowerShell and this is just a perfect solution!

  2. Paras

    on using
    url “https://.azurewebsites.net/admin/host/keys?code=”

    it says no route registered for No route registered for ‘/admin/host/keys?code=

    , am i missing something

  3. Paras

    on using
    url “https://.azurewebsites.net/admin/host/keys?code=$mymasterkeyvaluePuthere”

    it says no route registered for No route registered for ‘/admin/host/keys?code=$mymasterkeyvaluePuthere

    , am i missing something

    1. Octavie van Haaften Post author

      Hi Paras, in the URL I am missing the Azure Function name. It should be something like https://.azurewebsites.net/admin/host/bla-bla.

Leave a Reply

Your email address will not be published. Required fields are marked *