Azure-cli: Functionapp:Add ability to create a Function App or Function key directly

This should be feasible using ARM APIs, which mirror those in the script runtime. See https://github.com/Azure/azure-webjobs-sdk-script/wiki/Key-management-API

Understandable that this can be achieved through an HTTP request, but in my opinion it would be a better user experience to be able to accomplish this directly through the Azure CLI. On my current project I'm able to manage my Azure Function App through the Azure CLI in its entirety, minus key management for the Azure Function App (and Functions themselves).

@lindydonna you seem to need a code/key in order to access that api. Is there some other way to authenticate with it?

Using the credentials returned by az ad sp create I came up with this powershell (gets the master key but can probably write too).

$credentials = (ConvertFrom-Json $env:AzureCliLogin)

    $tenant = $credentials.tenant
    $clientId = $credentials.appId
    $clientSecret = $credentials.password
    $subscriptionId = "<subscriptionid>"

    $body = @{
        "grant_type"="client_credentials";
        "client_id"=$clientId;
        "client_secret"=$clientSecret;
        "resource"="https://management.azure.com/"
    }

    $authInfo = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenant/oauth2/token" -Body $body -Method Post -Headers @{"Content-Type"="application/x-www-form-urlencoded"} 

    $publishData = Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Web/sites/$name/publishxml?api-version=2016-08-01" -Method Post -Headers @{"Authorization"="Bearer $($authInfo.access_token)"}

    $userName = $publishData.publishData.publishProfile[0].userName
    $password = $publishData.publishData.publishProfile[0].userPWD

    $apiBaseUrl = "https://$name.scm.azurewebsites.net/api"
    $siteBaseUrl = "https://$name.azurewebsites.net"

    # For authenticating to Kudu
    $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))    

    # Call Kudu /api/functions/admin/token to get a JWT that can be used with the Functions Key API 
    $jwt = Invoke-RestMethod -Uri "$apiBaseUrl/functions/admin/token" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method GET

    # Call Functions Key API to get the master key 
    $x = Invoke-RestMethod -Uri "$siteBaseUrl/admin/host/systemkeys/_master" -Headers @{Authorization=("Bearer {0}" -f $jwt)} -Method GET

    $masterKey = $x.value

@ahmelsayed can you comment on this - is this something func CLI provides support for already?

I also interesting this feature. without the function keys, we can't identify the endpoints.

Adding Functions feature crew to comment on this @davidebbo & @eduardolaureano

Note that there is an ARM API to get the keys: https://github.com/projectkudu/kudu/wiki/Functions-API. Though it doesn't support everything, and we have plans to improve it in the future.

I think the first thing that should happen is have the host keys returned in the result of creating a function app with the cli. Much like when I create storage I get the access keys

Please add this feature. It's required that I be able to completely manage my azure resources via the cli!

@ankitkumarr & @ahmelsayed to comment on this feature request.

After hours i figured out how to do this in an Azure PowerShell task for now and quickly wrote a blog post for those with the same problem: https://blog.rsuter.com/azure-devops-how-to-update-the-azure-function-default-host-key-in-a-powershell-task/

I don't think there are ARM APIs to support these scenarios yet. Once we have those, we can add this ask.

Folks, I will fill the gap through #9490. The command will be az functionapp key list/update/delete. The command signature will be pretty intuitive. You can check out the details through the end to end test included in the PR. Please let me know if you have any comments.

@yugangw-msft we are deploying a new set of APIs that will manage functions keys, I would prefer to wait for these set of APIs to be in production before creating these new commands

also note that the keys are for functions not functionapps, and AFAIK the current (old) API only list the keys

The new API work is tracked here https://github.com/Azure/azure-functions-host/issues/3994

Okay, @ahmedelnably, I have backed out the change from my PR. The lesson is we should not have made this issue block the community for such a long time.
Meanwhile, I look forward to seeing you drive your team to address this ask soon.

Reopening as we will be picking this work once the app is deployed to the platform

Reopening as we will be picking this work once the app is deployed to the platform

@ankitkumarr Here's an attempt at what the commands might look like. Let me know what you think:

Function details and keys:

az functionapp function show --resource-group $RESOURCE_GROUP --name $APP_NAME --slot $SLOT_NAME --function-name $FUNCTION_NAME
az functionapp function list --resource-group $RESOURCE_GROUP --name $APP_NAME --slot $SLOT_NAME
az functionapp function keys list --resource-group $RESOURCE_GROUP --name $APP_NAME --slot $SLOT_NAME --function-name $FUNCTION_NAME
az functionapp function keys set --resource-group $RESOURCE_GROUP --name $APP_NAME --slot $SLOT_NAME --function-name $FUNCTION_NAME --key-name $KEY_NAME --key-value $KEY_VALUE
az functionapp function keys delete --resource-group $RESOURCE_GROUP --name $APP_NAME --slot $SLOT_NAME --function-name $FUNCTION_NAME --key-name $KEY_NAME

Host keys (unsure how this would work with systemKeys and functionKeys):

az functionapp keys list --resource-group $RESOURCE_GROUP --name $APP_NAME --slot $SLOT_NAME
az functionapp keys set --resource-group $RESOURCE_GROUP --name $APP_NAME --slot $SLOT_NAME --key-name $KEY_NAME --key-value $KEY_VALUE
az functionapp keys delete --resource-group $RESOURCE_GROUP --name $APP_NAME --slot $SLOT_NAME --key-name $KEY_NAME

Yes, the feature is necessary.

Currently, it is very manual the operation:

SUBSCRIPTION_ID=<value>
RESOURCE_GROUP=<value>
FUNCTION_APP=<value>
FUNCTION_ENDPOINT=<value>
FUNCTION_PAYLOAD=<value>
FUNCTION_KEY=$( \
    az rest --method post --uri \
    "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/sites/$FUNCTION_APP/host/default/listKeys?api-version=2018-11-01" \
    --query functionKeys.default --output tsv)
echo $FUNCTION_KEY
http POST "https://$FUNCTION_APP.azurewebsites.net/api/$FUNCTION_ENDPOINT?code=$FUNCTION_KEY" $FUNCTION_PAYLOAD

@anthonychu any visibility in terms of when this feature might see a public release?

No ETA yet. For now please use the direct az rest call @jabrena shared above.