How can I get Azure Functions keys from Bicep

Question

I have the following code to create an Azure Function App with Bicep lang

resource webSite 'Microsoft.Web/sites@2022-03-01' = {
  name: 'xxxxxx'
  location: resourceGroup().location
  kind: 'functionapp'
  properties: {
    serverFarmId: 'zzzzzz'
    siteConfig: {     
      appSettings: [
        // some values
      ]
    }
  }
}

Then I need to get the host keys like 'master' or 'default' key

I tried some options like

resource functionApp 'Microsoft.Web/sites/functions@2022-03-01' existing = { name: 'xxxxxx' }

output key string = functionApp.listkeys().properties.masterKey

or

output key string = listKeys(resourceId('Microsoft.Web/sites/host', 'xxxxxx', 'default'), '2022-03-01').masterKey

But I allways receive an error from Azure with this message Encountered an error (BadGateway) from host runtime.

There are a way to get the keys easily?

To get the keys do I need to deploy a function inside my Function App?

Curiously, the same approach with AZ CLI returns the same result `az functionapp function keys list --function-name myFunctionName --resource-group myResourceGroup --name myFunctionName` returns `Operation returned an invalid status 'Bad Request'` and, from Activity log I read `Encountered an error (BadGateway) from host runtime.` — Sergio, Feb 23 '23 at 14:16
You you try that: https://stackoverflow.com/a/69254407/4167200 ? — Thomas, Mar 05 '23 at 00:01
@Sergio did one of the answers help solve your problem? If so, please consider accepting the answer. — Alex AIT, Mar 07 '23 at 08:15

score 3 · Answer 1 · answered Mar 02 '23 at 11:24

To get the Azure functionApp/function keys, I tried the below approaches and it worked for me.

Using Az CLI:

Use below command to retrieve the function app keys and their secret values in Azure Bash:

az functionapp keys list -g <resourcegroup> -n <functionappname>

Output:

enter image description here

Use below command to retrieve the function keys and their secret values in Azure Bash:

az functionapp function keys list -g <resourcegroup> -n <functionappname> --function-name <functionname>

Output:

enter image description here

Bicep code:

I also tried by creating a bicep configuration file in my environment with the below script as follows:

param  functionApp  string
resource  appKeys  'Microsoft.Web/sites/functions@2022-03-01'  existing ={
name: functionApp
}
output key object = listkeys(concat(resourceId('Microsoft.Web/sites', functionApp), '/host/default/'),'2021-02-01').masterKey

Build succeeded by using below command:

bicep build < filename >:

enter image description here

Note: But in bicep, output should not have secret values according to the linter rule code as detailed in MSDoc.

Alternatively, you can refer SO given by @Shui shengbao to list the function keys with ARM json template.

score 1 · Answer 2 · answered Mar 02 '23 at 16:33

The error is indicative of a storage account access issue.

Please check your appsettings. You can also see if you can show the keys using Azure Portal.

AzureWebJobsStorage should be a valid connection string and the account accessible (VNETs etc.)
If WEBSITE_RUN_FROM_PACKAGE is set, make sure your function code is also deployed correctly and working

A valid bicep code to get the keys:

output key string = listkeys('${functionApp.id}/host/default', '2022-03-01').masterKey

Note that listkeys('${functionApp.id}/host/xxxx/default' ... is incorrect. You don't need xxxx there. If you need the key of a slot you can use output key2 string = listkeys('${functionApp.id}/slots/${slotname}/host/default', ...

If WEBSITE_RUN_FROM_PACKAGE == 1 do I need to deploy the function App before get the keys? — Sergio, Mar 09 '23 at 09:39
@Sergio from what I read it would be advisable to only set this when you are about to deploy the function app. You can get issues getting the keys if did not deploy any content yet but have already set the flag. — Alex AIT, Mar 09 '23 at 09:43

How can I get Azure Functions keys from Bicep

2 Answers2