



我正在尝试使用Azure cli编写环境脚本.我已经创建了一些功能应用程序,并且想要添加一个主机密钥或至少检索自动创建的默认密钥.蔚蓝的cli对此完全没有支持.

I am trying to script an environment using the Azure cli. I have created a few function apps and would like to add a host key or at least retrieve the default one that is created automatically. The azure cli has no support at all for this.


There seems to be an api (documentation for it seems to be sparse) on the function itself that allows me to get the keys, however you need a key to use it so.. no help there.


例如: https://example-functions.azurewebsites.net/admin/host/keys?code = somecodeyoureadyknow

我还看到了一些其他示例,这些示例使用webapps scm api下载包含密钥的json文件,但是我不确定如何使用此API进行身份验证.我有一个服务主体(用户名,密码,tenantid),我希望不必在脚本中添加其他身份验证方案.

I have seen some other examples that use the webapps scm api to download the json file that contains the keys however I'm not sure how to authenticate with this API. I have a service principal (userid, password, tenantid) and I was hoping to not have to add another authentication scheme to my script.



  1. 假设您已经具有Kudu部署凭据. (听起来您已经知道如何执行此操作.您可以通过服务原理中的ARM调用来获取它,等等)
  2. 从kudu部署凭据中,您可以获得一个JWT,该JWT可让您调用Functions键API.
  3. 从Functions API中,您可以获得所有密钥(包括主密钥).

以下是一个powershell脚本,该脚本演示了从Kudu部署凭据到Function Master密钥的确切调用:

Here's a powershell script that demonstrates the exact calls to go from Kudu deployment creds to Function Master key:

# You need to start with these:
$site = "YourSiteName"

# Now...
$apiBaseUrl = "https://$($site).scm.azurewebsites.net/api"
$siteBaseUrl = "https://$($site).azurewebsites.net"

# For authenticating to Kudu
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))

# Call Kudu /api/functions/admin/token to get a JWT that can be used with the Functions Key API
$jwt = Invoke-RestMethod -Uri "$apiBaseUrl/functions/admin/token" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method GET

# Call Functions Key API to get the master key
$x = Invoke-RestMethod -Uri "$siteBaseUrl/admin/host/systemkeys/_master" -Headers @{Authorization=("Bearer {0}" -f $jwt)} -Method GET

$masterKey = $x.value


08-19 01:27