Get Azure function App Master Key ,Host Key ,By API End Point programmatically

Azure function App has many default templates available to create variety of function app.

One of the very popular one is Azure function app HTTP trigger.

They can be called by they simple HTTP URL and calling those URL executes the Azure function app’s that function and execute the login inside it.

They can be acted as API end point as well along with the default security configuration, the most common one is by passing the API key in either query string or in Header.

For more details on API , refer :

https://github.com/Azure/azure-webjobs-sdk-script/wiki/Http-Functions#authentication-and-authorization

We can discus about security aspects and other details in some other post , but  in this post we will focus as an administrator how can we get the function API keys which can later on be distributed to various developers / client to call the function apps.

In this post we will find how to programmatically access the Azure Function App’s Function API keys like Master Key , Host Key etc.

 

At the end of the post I will have a PowerShell code sample to access function API key , host keys  , however the core idea is to find the correct URL and exposed Function Management/ KUDU APIs.

There are few end points exposed to be called via HTTP get to get these API keys of function app:

 

Function App Key API End points :

To get the Master Key :

https://<your function app name>.scm.azurewebsites.net/api/functions/admin/masterkey

 

 

 

Once you receive the master key you can use this to retrieve the Function key or the Admin Key by following below steps:

 

To Get Function Key, you can go to the URL as follows:

 

https://<FunctionAppname>.azurewebsites.net/admin/functions/<functionname>/KEYS?CODE=<MasterKeyCode>

To access the Admin Key, URL would look like:

https://<your function app name>.azurewebsites.net/admin/HOST/KEYS?CODE=<MasterKeyCode>

 

To see in action , here will be our sequence to get all these :

  • Login to Azure Account by PowerShell / C# .
  • Keep handy the Resource group name and function app name.
  • For that resource group and function App , get the publishing profile credentials.
  • Using Publishing profile credentials, get the bearer token for making the Function App / KUDU management API calls.
  • Using bearer token, call the above mentioned End points in “Function API end point” section to get the various keys.

 

Note : If you are running the API end points from browser , then you  don’t need to go through steps 1 to 4 , as that will automatically be taken care by browser as it will get access token from cookie.

Here is the snippets for PowerShell  :

#
# Script.ps1
#
 
#login to account
Login-AzureRmAccount
 
#set variables for resource group & function app name
 
$resourceGroupName="FunctionAppResourceGroup"
$functionAppNamr="FunctionAppDemoBlog"
 
 
#functions definations
 
#function to get publishing profile
 function Get-PublishingProfileCredentialsAzure($resourceGroupName, $functionAppNamr){   
 
    $resourceType = "Microsoft.Web/sites/config"
    $resourceName = "$functionAppNamr/publishingcredentials"
 
    $publishingCredentials = Invoke-AzureRmResourceAction -ResourceGroupName $resourceGroupName -ResourceType $resourceType -ResourceName $resourceName -Action list -ApiVersion 2015-08-01 -Force
 
    return $publishingCredentials
}
 
#function to get bearer token from publishing profile
function Get-KuduApiAuthorisationHeaderValueAzure($resourceGroupName, $functionAppNamr){
 
    $publishingCredentials = Get-PublishingProfileCredentialsAzure $resourceGroupName $functionAppNamr
 
    return ("Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $publishingCredentials.Properties.PublishingUserName, $publishingCredentials.Properties.PublishingPassword))))
}
 
#function to get the Master Key using End point and passing bearer tocken in Authorization Header
function Get-MasterAPIKey($kuduApiAuthorisationToken, $functionAppNamr ){
 
    $apiUrl = "https://$functionAppNamr.scm.azurewebsites.net/api/functions/admin/masterkey"
    
    $result = Invoke-RestMethod -Uri $apiUrl -Headers @{"Authorization"=$kuduApiAuthorisationToken;"If-Match"="*"} 
     
    return $result
}
 
#function to get the Admin keys
function Get-HostAPIKeys($kuduApiAuthorisationToken, $functionAppNamr, $masterKey ){
     $masterKey
     $apiUrl2 = "https://$functionAppNamr.azurewebsites.net/admin/host/keys?code="
     $apiUrl=$apiUrl2 + $masterKey.masterKey.ToString()
     $apiUrl
     $result = Invoke-WebRequest $apiUrl
    return $result
}
 
 
#Get and print the accesstocken
 
$accessToken = Get-KuduApiAuthorisationHeaderValueAzure $resourceGroupName $functionAppNamr
$accessToken
 
#get master key
$masterKey=Get-MasterAPIKey $accessToken $functionAppNamr
 
#get host key
 
$allkeys=Get-HostAPIKeys $accessToken $functionAppNamr $masterkey
$keysCode =  $allkeys.Content | ConvertFrom-Json
 
Write-Host "default Key = " $keysCode.Keys[0].Value
 
#end
Like This (4)
Dislike This (0)

Leave a Reply

Your email address will not be published. Required fields are marked *