Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to Retrieve the Azure function keys for functions created in version 2.0 #3767

Closed
ashokkhurana opened this issue Nov 12, 2018 · 15 comments

Comments

@ashokkhurana
Copy link

Scenario: We have an Ibiza blade (Iot hUB) )where we are showing a list of all the azure functions in a selected subscription. When selecting the azure function, we are fetching the azure function key. Here is the URI we are using to fetch the key https://myfunctionAppName.scm.azurewebsites.net/api/functions/admin/masterkey

This worked perfectly with the Azure function runtime version 1.0.

But recently with the runtime version 2.0 we started getting 409 error.

{"Message":"An error has occurred.","ExceptionMessage":"Runtime keys are stored on blob storage. This API doesn't support this configuration. Please change Environment variable AzureWebJobsSecretStorageType value to 'Files'. For more info, visit https://aka.ms/funcsecrets","ExceptionType":"System.InvalidOperationException","StackTrace":" at Kudu.Core.Functions.FunctionManager.d__9`1.MoveNext() in C:\Kudu Files\Private\src\master\Kudu.Core\Functions\FunctionManager.cs:line 141\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Kudu.Core.Functions.FunctionManager.d__11.MoveNext() in C:\Kudu Files\Private\src\master\Kudu.Core\Functions\FunctionManager.cs:line 213\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Kudu.Services.Functions.FunctionController.d__11.MoveNext() in C:\Kudu Files\Private\src\master\Kudu.Services\Functions\FunctionController.cs:line 121"}

I came across this document https://github.com/Azure/azure-functions-host/wiki/Key-management-API but realize that these API requires some auth token, may be because with 2.0 we are moved to a blob storage for keys.

After more finding I found there is a KUDU API to generate the auth token before retrieving the keys. So now I am making following calls

  1. Kudu Auth: -https://myfunctionAppName.scm.azurewebsites.net/api/functions/admin/token
  2. Get KEY:- https://myfunctionAppName.azurewebsites.net/admin/functions/myfunctionName/keys

Kudu API calls work fine and I GET the token. But when passing the token to second API, I am seeing following error.

Security issue: Request to send auth token to untrusted domain 'askhura-custom-allocation-app.scm.azurewebsites.net'. Only a fixed set of domains should be configured to receive auth tokens.

Investigative information

Please provide the following:

  • Timestamp:
  • Function App version (1.0 or 2.0): 2.0
  • Function App name: askhura-custom-allocation-app
  • Function name(s) (as appropriate): HttpTrigger1
  • Invocation ID:
  • Region:

Repro steps

Provide the steps required to reproduce the problem:

Getting the error pasted above from my Ibiza blade.
Tried to do the same steps in a C# console app. The error I got an unhandled exception that the connection was forcibly closed by the remote host. So didn't get the exact error.

Note: I am able to run the above two APIs without any issue in a POSTMAN.

Expected behavior

Provide a description of the expected behavior.

Actual behavior

Provide a description of the actual behavior observed.

Known workarounds

Provide a description of any known workarounds.

Related information

Provide any related information

@brettsam
Copy link
Member

@alrod / @fabiocav -- any ideas on this one?

@alrod
Copy link
Member

alrod commented Nov 12, 2018

@paulbatum will reply in email thread

@fabiocav
Copy link
Member

Closing this as there was a direct follow up.

@matt2323
Copy link

https://xkcd.com/979/

@danielstocker
Copy link

@fabiocav @paulbatum

Could you share the recommended workaround that was shared offline here, please?

@Gayathri92
Copy link

@fabiocav @paulbatum
Could you please share the work around? Facing the same issue here!

@Azure Azure deleted a comment from ashokkhurana Feb 1, 2019
@paulbatum
Copy link
Member

@ashokkhurana I have deleted your comment, it included references to private APIs.

@paulbatum
Copy link
Member

Anyone on this issue that recieved those details - please don't use those APIs unless you're on another Microsoft team and are in touch with me. Otherwise you might find that they randomly start breaking at some point in the future.

@paulbatum
Copy link
Member

I should add, the original issue filed here is about some details around the implementation of some Azure portal UX. Some of the other replies on this issue are "me too" replies, but I assume the scenario is different. If you can reply here and explain your actual scenario, I can try to help.

@Gayathri92
Copy link

Gayathri92 commented Feb 5, 2019 via email

@paulbatum
Copy link
Member

@Gayathri92 your image did not make it. Can you reshare? Also I am not familiar with the process of linking azure alerts to a function app, so if you can include some more detail it might help.

@Gayathri92
Copy link

Gayathri92 commented Feb 5, 2019 via email

@SamVanhoutte
Copy link

I am facing a similar issue, when referencing a deployed function (v2) and reading the API key from the listkeys function in my arm template deployment. It used to work when my function was in v1.

This is the piece of arm template:
[listsecrets(resourceId('Microsoft.Web/sites/functions', variables('site_name'), variables('function_trigger_name')),'2015-08-01').key]

The error I get is the following:

"error": {
    "code": "Conflict",
    "message": "System.InvalidOperationException: Runtime keys are stored on blob storage. This API doesn't support this configuration. Please change Environment variable AzureWebJobsSecretStorageType value to 'Files'. For more info, vi
sit https://aka.ms/funcsecrets\r\n   at Kudu.Core.Functions.FunctionManager.<GetKeyObjectFromFile>d__9`1.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Core\\Functions\\FunctionManager.cs:line 141\r\n--- End of stack trace fro
m previous location where exception was thrown ---\r\n   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task
)\r\n   at Kudu.Core.Functions.FunctionManager.<GetFunctionSecretsAsync>d__12.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Core\\Functions\\FunctionManager.cs:line 220\r\n--- End of stack trace from previous location where e
xception was thrown ---\r\n   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Kudu.Services.Fu
nctions.FunctionController.<GetSecrets>d__12.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Services\\Functions\\FunctionController.cs:line 141"
}

@paulbatum
Copy link
Member

If you follow the link in the error message, most of it is explained there:
https://aka.ms/funcsecrets

Until we release ARM API updates, the best workaround is to switch the key storage back to files mode. Be aware that if you do this all your keys will be reset and you won't be able to use the slots feature set (the incompatibility between file based key storage and slots is the main reason that we changed the default).

@M0ns1gn0r
Copy link

@paulbatum So when will it be implemented in ARM API?

@ghost ghost locked as resolved and limited conversation to collaborators Jan 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants