在部署时从Azure函数获取Azure函数键吗? [英] Get Azure Function keys from an Azure Function at deployment time?
问题描述
I'm sending an email in Azure Functions using the SendGrid bindings. As part of the contents of that email, I'd like to include a link to one of the HTTP methods in the Azure Functions instance for more information. I have all my HTTP functions secured with AuthorizationLevel.Function.
我已经看到了在PowerShell中从ARM和Kudu删除密钥的解决方案(和使用以下命令输出密钥的解决方案只是ARM ,但是它们都依赖于我的Azure函数没有的东西:对ARM(Azure资源管理)API的权限.
I've seen a solution for scraping the keys from ARM and Kudu in PowerShell (and this one) and a solution to output the keys with just ARM, but these both rely on having something my Azure Functions do not: permissions to the ARM (Azure Resource Management) APIs.
我还找到了 Azure功能的键管理API主机,它完全可以在本地运行,但是一旦部署Azure功能,我不知道如何摆脱 401 Unauthorized .我可以使用 _master 功能键手动克服它,但是我又回到了不知道如何在运行时获取该键的地方.
I also found the Key management APIs for the Azure Functions host which works exactly as I want locally, but I don't know how to get past the 401 Unauthorized once the Azure Functions are deployed. I can get past it manually with the _master function key, but then I'm back to not knowing how to get that key at runtime.
问题是这样的:是否可以通过某种方式在运行时从Azure函数主机获取Azure函数的密钥?我非常希望不需要ARM权限来做到这一点.
The question is this: Is it possible to get the key for an Azure Function at runtime from the Azure Function Host somehow? I would very much prefer to not need ARM permissions to do that.
推荐答案
要使用ARM模板在CI管道中执行此操作,您需要确保密钥库和启动功能在同一资源组中.
To do this in a CI pipeline using ARM templates you need to ensure you key vault and function up are in the same resource group.
- 使用ARM部署功能应用程序
- 将该功能部署到功能应用程序-更新此代码以从keyvault中查找密钥,就像您提到的那样,您对SendGrid API密钥所做的一样
-
将以下内容作为ARM模板运行,确保以增量的身份运行.这将从指定的函数中获取密钥,并将其放入所需的密钥库中.
- Deploy your function app using ARM
- Deploy the function to the function app - update this code to look for the key from keyvault as you've mentioned you do for your SendGrid API Key
Run the below as an ARM template ensuring it is run as incremental. This will get the key from the named function and put it into the desired key vault.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"functionAppName":: {
"type": "string",
"metadata": {
"description": "The name of the function app that you wish to get the key from."
}
},
"functionName": {
"type": "string",
"metadata": {
"description": "The name of the function that you wish to get the key from."
}
},
"keyVaultName": {
"type": "string",
"metadata": {
"description": "The name of the key vault you wish to put the key in."
}
}
},
"variables": {
"functionAppName": "[parameters('functionAppName')]",
"keyVaultName": "[parameters('keyVaultName')]",
"functionName": "[parameters('functionName')]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(variables('keyVaultName'),'/', variables('functionAppName'))]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[listsecrets(resourceId('Microsoft.Web/sites/functions', variables('functionAppName'), variables('functionName'),'2015-08-01').key]"
},
"dependsOn": []
}
]
}
这篇关于在部署时从Azure函数获取Azure函数键吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
