Get Azure Function host key in an ARM deployment template

Mikhail Chatillon
Sep 2, 2018 · 2 min read

I am currently working in a IoT project where we aim at enabling LoRaWan devices to communicate directly with Azure. The payload of these devices are typically encoded very differently depending on payload type, manufacturer,… And therefore we needed to provide a plug-and-play mechanism enabling our code to call different decoding methods using same authentication key.

We decided to use Azure Function to implement those decoders due to the Serverless aspect of it (we don’t need always a given decoder running). Function are typically protected by a key that you can either give as a query string (e.g. https://FUNCTION_NAME.azurewebsites.net/api/functionname?code=YOUR_CODE or as a header (x-functions-key : YOUR_CODE).

There are four different key authentication methods:

  • Anonymous : Anyone can call the given function.
  • Function key : A key used to authenticate at a function level.
  • Host key : A key shared by all the functions hosted on a given function app.
  • Master key : This key provide administrative access to the runtime API.

Given our current problem, Only the Host key or the Master key can be used to get authentication across the full function application. However, the documentation don’t advice to use the Master key as it provides a very high administrative power (and as one said : with great power comes great responsibilities).

For all the reasons above we used the Host key as authentication method. However another problem rose when we had to build an ARM template to deploy our infrastructure to Azure. Indeed there are currently no way an ARM template can get the Host keys at deployment time, it is currently only possible to get keys at a function level and this was not an option for us.

We then used the pattern I described in a previous blog post to call a function from a linked template to resolve the master key programmatically using the KUDU API. You need to authenticate by providing your deployment credentials, which you have access in your arm template and therefore can provide as argument to your function. Here is the function code, largely inspired from this great Stackoverflow answer and only adapted to get the input from the ARM template.

Code inspired from this stackoverflow. Adapted to take input/outputs to ARM template

You will be able to use the function host key within your function code, but moreover the function will output your function key as an ARM template compatible string, so you will be able to reference it inside your main ARM template. As you can see in the ARM snippet below, the initial function call is secured as I am using the getKeys function key, So I make sure a third party can’t call this function without having access to my function key.

ARM template of the sub template calling the function, note the way we build the function URI is secured from external access.

You can find the full code of this project here : http://www.github.com/mandur/Kainuu with a demo template outputting you the host key in your main arm template deployment.

Mikhail Chatillon

Software Engineer at Microsoft in Switzerland. I love technology, video games and chocolate. Articles reflect my own opinion only.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade