Azure Function keys - what are those and how to access them

3 minute read

Usage of keys in Azure Functions

Azure Functions offer three levels of authorization:

anonymous: no key is required
function: a function-specific or a host key is required
admin: the master key is required

Function access keys are the simple way to protect an Azure Function from unauthorized access. You can provide the access key in the code query parameter or in the x-functions-key HTTP header when accessing a function. There are two access scopes for function-level keys:

function: these keys apply only to the specific functions under which they are defined
host: keys with a host scope can be used to access all functions within the function app

The master key also provides access to all functions within the function app and administrative access to the runtime REST APIs. As a best practice, never use the master key in client applications to access an Azure Function.

One particular type of key, named system key, is used by extensions installed in the Azure Function, such as Event Grid and Durable Functions.

How to get the keys value?

In the examples below, the following applies:

rg-functions-test - resource group where the function app is deployed
aztosotest - the name of the function app
Hello - the name of the function

Azure Portal

After opening the Function App in the portal, you can view the host and system keys by selecting App keys from the left sidebar:

Desktop View

To view the function-specific keys, open the function and chose Function Keys from the left sidebar:

Desktop View

ARM template

Note: if the function is deployed in a different resource group, you need to specify the resource group name as a first parameter in the resourceId function

Host(default) key:

listkeys(concat(resourceId('Microsoft.Web/sites', 'aztosotest'), '/host/default/'),'2021-02-01').functionKeys.default

Master key:

listkeys(concat(resourceId('Microsoft.Web/sites', 'aztosotest'), '/host/default/'),'2021-02-01').masterKey

System key (named durabletask_extension):

listkeys(concat(resourceId('Microsoft.Web/sites', 'aztosotest'), '/host/default/'),'2021-02-01').systemkeys.durabletask_extension

Function-specific key:

listKeys(resourceId('Microsoft.Web/sites/functions', 'aztosotest', 'Hello'),'2021-02-01').default

Azure CLI

To get the host, master, and system key, use the following command:

az functionapp keys list -g rg-functions-test -n aztosotest

{
  "functionKeys": {
    "default": "68ahyfSAT2PF5HfIuGMyc8Bv6NErsFxnk6lT0l2fYacYCnVameOAmw=="
  },
  "masterKey": "N4O1a4ng/gLemQEiDFF9HUpNznT/pFGNSnTj4jQXVOhvZAa8MivuOg==",
  "systemKeys": {
    "durabletask_extension": "DtieTxAOV5x76Zfv6NWBqbbW3/u4YiHVhycZfPgn2VIgkcPAGP8kaA=="
  }
}

The following command will list the function-specific keys:

az functionapp function keys list -g rg-functions-test -n aztosotest --function-name Hello

{
  "default": "ukRsq3yoeayz5ELYgTGK3fbU3yfbHXavy5m9Y6ci0ZSykqFYUxyd3Q==",
  "id": null,
  "kind": null,
  "name": null,
  "properties": null,
  "systemData": null,
  "type": null
}

Share on

Twitter Facebook LinkedIn

Aleksandar Stefanov

Azure Function keys - what are those and how to access them

Usage of keys in Azure Functions

How to get the keys value?

Azure Portal

ARM template

Azure CLI

Share on

You may also enjoy

Managed Identities vs Service Principals - when to use what ?

How to get the System Assigned Managed Identity Object Id from within the VM?

Deep dive into Azure Container Apps - Operating, security, reliability and pricing

Deep dive into Azure Container Apps - Overview and Networking