Azure-functions-host: Function masterKey doesn't give access to keys API

Created on 4 Sep 2018 · 2Comments · Source: Azure/azure-functions-host

I want to read and update Azure Function host keys via the http API on Kudu/SCM.

I can read the "master key" using

GET functionname.scm.azurewebsites.net/api/functions/admin/masterKey

with Basic authentication using the publishing profile credentials.

That key does not give me access to the key management API.

Requests such as

GET functionname.azurewebsites.net/admin/host/keys?code=<masterkey>

fail with code 401.

This works in some functions we have, but not in others. It doesn't seem to be a functions v1 vs v2 issue. A v2 function in our dev environment doesn't work, while the same function in our test environment works.

I've tried deleting host.json from D:\home\data\functions\secrets. It's been recreated, and the key I get back from the SCM masterKey URL above is the new key from that file, but it still doesn't work. I've also tried restarting the function app.

Investigative information

Timestamp: 2018-09-04 06:23:15.354
Function App version (1.0 or 2.0-beta): 2.0-beta
Invocation ID: c8c47b2a-ef10-444d-b352-a9acc2c7990e)
Region: North Europe

Source

rwatjen

👍1

Most helpful comment

Is there any update on this?

ben3005 on 27 Sep 2018

👍6

All 2 comments

I can reproduce this using the PowerShell script below for my own function apps and resource groups (tested with function apps on V2, release 2.0.12050.0).

To reproduce, just invoke Get-FunctionKeysFromKudu with your resource group, app name and function name.

It appears that it gets an invalid master key.

I believe it may be related to issue #3411 (listSecrets being broken in the recent V2 2.0.12050.0 release).

function Get-PublishingProfileCredentialsAzure($resourceGroupName, $functionAppName) {
    <#
    .SYNOPSIS
     Get Bearer token from Publishing Profile for calls to the Azure REST APIs
    #>
    $resourceType = "Microsoft.Web/sites/config"
    $resourceName = "$functionAppName/publishingcredentials"
    return Invoke-AzureRmResourceAction -ResourceGroupName $resourceGroupName -ResourceType $resourceType -ResourceName $resourceName -Action list -ApiVersion 2015-08-01 -Force
}

function Get-KuduApiAuthorisationHeaderValueAzure($resourceGroupName, $functionAppName) {
    <#
    .SYNOPSIS
     Get Bearer token from Publishing Profile for calls to the Azure REST APIs
    #>
    $publishingCredentials = Get-PublishingProfileCredentialsAzure $resourceGroupName $functionAppName
    return ("Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $publishingCredentials.Properties.PublishingUserName, $publishingCredentials.Properties.PublishingPassword))))
}

function Get-MasterAPIKey($kuduApiAuthorisationToken, $functionAppName) {
    <#
    .SYNOPSIS
    Get the Master Key for the function app from its management API.
    #>
    $apiUrl = [System.Uri]"https://$functionAppName.scm.azurewebsites.net/api/functions/admin/masterkey"
    $headers = @{
        "Authorization"=$kuduApiAuthorisationToken;
        "If-Match"="*"
    } 
    return Invoke-RestMethod -Uri $apiUrl -Headers $headers
}

function Get-FunctionKeysFromKudu ($resourceGroupName, $functionAppName, $functionName) {
    $accessToken = Get-KuduApiAuthorisationHeaderValueAzure $resourceGroupName $functionAppName $functionName;
    $masterKey = Get-MasterAPIKey $accessToken $functionAppName
    $masterStr = $masterKey.masterKey.ToString();
    $uri = [System.Uri]"https://$functionAppName.azurewebsites.net/admin/host/keys?code=$masterStr"
    Write-Host "Requesting keys from", $uri
    ## THIS FAILS with HTTP status 401 since the master key is not valid
    $result = Invoke-RestMethod -Uri $uri
    return $result;
}