Azure-functions-host: Unable to Retrieve the Azure function keys for functions created in version 2.0
Scenario: We have an Ibiza blade (Iot hUB) )where we are showing a list of all the azure functions in a selected subscription. When selecting the azure function, we are fetching the azure function key. Here is the URI we are using to fetch the key https://myfunctionAppName.scm.azurewebsites.net/api/functions/admin/masterkey
This worked perfectly with the Azure function runtime version 1.0.
But recently with the runtime version 2.0 we started getting 409 error.
_{"Message":"An error has occurred.","ExceptionMessage":"Runtime keys are stored on blob storage. This API doesn't support this configuration. Please change Environment variable AzureWebJobsSecretStorageType value to 'Files'. For more info, visit https://aka.ms/funcsecrets","ExceptionType":"System.InvalidOperationException","StackTrace":" at Kudu.Core.Functions.FunctionManager.
I came across this document https://github.com/Azure/azure-functions-host/wiki/Key-management-API but realize that these API requires some auth token, may be because with 2.0 we are moved to a blob storage for keys.
After more finding I found there is a KUDU API to generate the auth token before retrieving the keys. So now I am making following calls
- Kudu Auth: -https://myfunctionAppName.scm.azurewebsites.net/api/functions/admin/token
- Get KEY:- https://myfunctionAppName.azurewebsites.net/admin/functions/myfunctionName/keys
Kudu API calls work fine and I GET the token. But when passing the token to second API, I am seeing following error.
Security issue: Request to send auth token to untrusted domain 'askhura-custom-allocation-app.scm.azurewebsites.net'. Only a fixed set of domains should be configured to receive auth tokens.
Investigative information
Please provide the following:
- Timestamp:
- Function App version (1.0 or 2.0): 2.0
- Function App name: askhura-custom-allocation-app
- Function name(s) (as appropriate): HttpTrigger1
- Invocation ID:
- Region:
Repro steps
Provide the steps required to reproduce the problem:
ashokkhurana
All 15 comments
@alrod / @fabiocav -- any ideas on this one?
brettsam
on 12 Nov 2018
@paulbatum will reply in email thread
alrod
on 13 Nov 2018
Closing this as there was a direct follow up.
fabiocav
on 14 Nov 2018
matt2323
on 17 Dec 2018
@fabiocav @paulbatum
Could you share the recommended workaround that was shared offline here, please?
danielstocker
on 29 Jan 2019
@fabiocav @paulbatum
Could you please share the work around? Facing the same issue here!
Gayathri92
on 1 Feb 2019
@ashokkhurana I have deleted your comment, it included references to private APIs.
paulbatum
on 1 Feb 2019
Anyone on this issue that recieved those details - please don't use those APIs unless you're on another Microsoft team and are in touch with me. Otherwise you might find that they randomly start breaking at some point in the future.
paulbatum
on 1 Feb 2019
I should add, the original issue filed here is about some details around the implementation of some Azure portal UX. Some of the other replies on this issue are "me too" replies, but I assume the scenario is different. If you can reply here and explain your actual scenario, I can try to help.
paulbatum
on 1 Feb 2019
Hello Paul,
I'm trying to link azure alerts to my azure function App. When I click on
save, Throws me this error:
[image: Screen Shot 2019-02-05 at 1.38.18 PM.png]
Regards!
Gayathri Muralidharan.
Never. Stop. Learning.
On Thu, Jan 31, 2019 at 4:20 PM Paul Batum notifications@github.com wrote:
I should add, the original issue filed here is about some details around
the implementation of some Azure portal UX. Some of the other replies on
this issue are "me too" replies, but I assume the scenario is different. If
you can reply here and explain your actual scenario, I can try to help.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/Azure/azure-functions-host/issues/3767#issuecomment-459558383,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AVd4dA-55wi7j5pqN4TSn6o7-SekfNsJks5vI4hHgaJpZM4YaV-c
.
Gayathri92
on 5 Feb 2019
@Gayathri92 your image did not make it. Can you reshare? Also I am not familiar with the process of linking azure alerts to a function app, so if you can include some more detail it might help.
paulbatum
on 5 Feb 2019
Hello Paul,
Steps to reproduce:
1) Click on Monitoring
[image: Screen Shot 2019-02-05 at 2.35.53 PM.png]
2) Click on Alerts
3) Click on "Create New Alert"
4) In the action Group, you can link your azure function( To perform some
computation when the alert is raised). That's when I get the issue.
[image: Screen Shot 2019-02-05 at 2.36.14 PM.png]
[image: Screen Shot 2019-02-05 at 1.38.18 PM.png]
Regards!
Gayathri Muralidharan.
Never. Stop. Learning.
On Tue, Feb 5, 2019 at 2:01 PM Paul Batum notifications@github.com wrote:
@Gayathri92 https://github.com/Gayathri92 your image did not make it.
Can you reshare? Also I am not familiar with the process of linking azure
alerts to a function app, so if you can include some more detail it might
help.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/Azure/azure-functions-host/issues/3767#issuecomment-460821308,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AVd4dPFt_INqUTp9XVX59ON2KlXF8Uuwks5vKf86gaJpZM4YaV-c
.
Gayathri92
on 5 Feb 2019
I am facing a similar issue, when referencing a deployed function (v2) and reading the API key from the listkeys function in my arm template deployment. It used to work when my function was in v1.
This is the piece of arm template:
[listsecrets(resourceId('Microsoft.Web/sites/functions', variables('site_name'), variables('function_trigger_name')),'2015-08-01').key]
The error I get is the following:
"error": {
"code": "Conflict",
"message": "System.InvalidOperationException: Runtime keys are stored on blob storage. This API doesn't support this configuration. Please change Environment variable AzureWebJobsSecretStorageType value to 'Files'. For more info, vi
sit https://aka.ms/funcsecrets\r\n at Kudu.Core.Functions.FunctionManager.<GetKeyObjectFromFile>d__9`1.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Core\\Functions\\FunctionManager.cs:line 141\r\n--- End of stack trace fro
m previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task
)\r\n at Kudu.Core.Functions.FunctionManager.<GetFunctionSecretsAsync>d__12.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Core\\Functions\\FunctionManager.cs:line 220\r\n--- End of stack trace from previous location where e
xception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Kudu.Services.Fu
nctions.FunctionController.<GetSecrets>d__12.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Services\\Functions\\FunctionController.cs:line 141"
}
SamVanhoutte
on 7 Feb 2019
If you follow the link in the error message, most of it is explained there:
https://aka.ms/funcsecrets
Until we release ARM API updates, the best workaround is to switch the key storage back to files mode. Be aware that if you do this all your keys will be reset and you won't be able to use the slots feature set (the incompatibility between file based key storage and slots is the main reason that we changed the default).
paulbatum
on 7 Feb 2019
@paulbatum So when will it be implemented in ARM API?
M0ns1gn0r
on 6 Dec 2019
Related issues
yvele
·
3Comments
krillehbg
·
3Comments
justinyoo
·
3Comments
silencev
·
3Comments
mathewc
·
4Comments
Most helpful comment
https://xkcd.com/979/