azure cli command 'az functionapp create' - App Keys not generated

Question

Do I miss something how to create a function using azure cli? How can I add a key to my function?

Steps to reproduce:

az storage account create --name $(StorageAccountName) --resource-group $(StorageResourceGroupName)

az appservice plan create --name $(AppServicePlanName) --resource-group $(AppServicePlanResourceGroupName) --sku $(AppServicePlanSku) --location $(AppServicePlanLocation)

az functionapp create --resource-group $(FunctionResourceGroupName) --plan $(AppServicePlanPath) --name $(FunctionName) --storage-account $(StorageAccountPath) --functions-version $(FunctionVersion) --os-type $(FunctionOs) --runtime dotnet --disable-app-insights true --app-insights-key $(ApplicationInsightsImbasKey) --subnet $(FunctionSubnetPath)

az functionapp keys list --name $(FunctionName) --resource-group $(FunctionResourceGroupName)

Last command returns: Operation returned an invalid status 'Bad Request'

az rest command returns:

az rest --method post --uri "/subscriptions/xyz/resourceGroups/rg-func/providers/Microsoft.Web/sites/func-test/host/default/listKeys?api-version=2022-03-01" --query functionKeys.default --output tsv

Bad Request({"Code":"BadRequest","Message":"Encountered an error (InternalServerError) from host runtime.","Target":null,"Details":[{"Message":"Encountered an error (InternalServerError) from host runtime."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","Message":"Encountered an error (InternalServerError) from host runtime."}}],"Innererror":null})

Also in the Azure Portal the App Key are not shown and cannot be set

Do I miss something how to create a function using azure cli? How can I add a key to my function?

Answer 1

I was able to successfully create the function app and plan with your code, and obtain the keys, with only a few minor changes made.

Could you verify your permissions perhaps, and use the MS Docs for further command argument references?

az function app create

az appservice plan create

I've removed

• --runtime dotnet

--runtime-version is not supported for --runtime dotnet. Dotnet version is determined by --functions-version. Dotnet version will be 6.0 for this function app.

• --app-insights-key

you disabled insights, so this was redundant

• --subnet

this needed the --vnet argument, which you didn't use

Answer 2

Hope this helps. It is a Azure DevOps build task, but you can use the az cli commands out of it:

trigger: none

pool:
  vmImage: "ubuntu-latest"

# For more information see https://docs.microsoft.com/en-us/cli/azure/what-is-azure-cli?view=azure-cli-latest
variables:
  AzureSubscription: xyz
  StorageAccountName: someName
  StorageAccountResourceID: /subscriptions/xyz/resourceGroups/rg-storage...
  StorageResourceGroupName: rg-storage...
  AppServicePlanResourceGroupName: rg-plan...
  AppServicePlanSku: S1
  AppServicePlanName: plan-app-test
  AppServicePlanResourceID: /subscriptions/xyz/resourceGroups/rg-plan....
  AppServicePlanLocation: centralus
  FunctionResourceGroupName: rg-func
  FunctionName: func-name... 
  FunctionOs: Windows
  FunctionVersion: 4
  FunctionVnetResourceID: /subscriptions/xyz/resourceGroups/...
  FunctionSubnetResourceID: /subscriptions/xyz/resourceGroups/...
  ApplicationInsightsImbasKey: yourKey
  KeyVaultName: yourKeyVault
  KeyVaultResourceGroupName: rg-kv....

steps:
# Create Azure Function
  - task: AzureCLI@2
    displayName: "Create Azure Storage Account $(StorageAccountName)"
    inputs:
      azureSubscription: '$(AzureSubscription)'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |
        az storage account create `
        --name $(StorageAccountName) `
        --resource-group $(StorageResourceGroupName)

  - task: AzureCLI@2
    displayName: "Create Azure App Service Plan $(AppServicePlanName)"
    inputs:
      azureSubscription: '$(AzureSubscription)'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |
        az appservice plan create `
        --name $(AppServicePlanName) `
        --resource-group $(AppServicePlanResourceGroupName) `
        --sku $(AppServicePlanSku) `
        --location $(AppServicePlanLocation)

  - task: AzureCLI@2
    displayName: "Create and configure Azure Function $(FunctionName)"
    inputs:
      azureSubscription: '$(AzureSubscription)'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |
        az functionapp create `
        --resource-group $(FunctionResourceGroupName) `
        --plan $(AppServicePlanResourceID) `
        --name $(FunctionName) `
        --storage-account $(StorageAccountResourceID) `
        --functions-version $(FunctionVersion) `
        --os-type $(FunctionOs) `
        --app-insights-key $(ApplicationInsightsImbasKey) `
        --vnet $(FunctionVnetResourceID) `
        --subnet $(FunctionSubnetResourceID)

        az functionapp config set `
        --name $(FunctionName) `
        --resource-group $(FunctionResourceGroupName) `
        --ftps-state Disabled
       
        az functionapp update `
          --name $(FunctionName) `
          --resource-group $(FunctionResourceGroupName) `
          --set httpsOnly=true

## https://markheath.net/post/managed-identity-key-vault-azure-functions
  - task: AzureCLI@2
    displayName: "Assign a managed identity $(FunctionName)"
    inputs:
      azureSubscription: '$(AzureSubscription)'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |
        az functionapp identity assign `
        -n $(FunctionName) `
        -g $(FunctionResourceGroupName)

  - task: AzureCLI@2
    name: GetPrincipalId
    displayName: "Query PrincipalId and grant managed identity read access to Key Vault $(KeyVaultName)"
    inputs:
      azureSubscription: '$(AzureSubscription)'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |
        $queryPrincipalId= $(az functionapp identity show -n $(FunctionName) -g $(FunctionResourceGroupName) --query principalId -o tsv)
        az keyvault set-policy -n $(KeyVaultName) -g $(KeyVaultResourceGroupName) `
            --object-id  $queryPrincipalId `
            --secret-permissions get

  - task: AzureCLI@2
    displayName: "Configure function $(FunctionName)"
    inputs:
      azureSubscription: '$(AzureSubscription)'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |
        az functionapp config appsettings set -n $(FunctionName) -g $(FunctionResourceGroupName) --settings "FUNCTIONS_WORKER_RUNTIME=dotnet-isolated"

I set the "dotnet-isolated" FUNCTIONS_WORKER_RUNTIME setting using 'az functionapp config appsettings set':

az functionapp config appsettings set -n $(FunctionName) -g $(FunctionResourceGroupName) --settings "FUNCTIONS_WORKER_RUNTIME=dotnet-isolated"

And to set the APPLICATIONINSIGHTS_CONNECTION_STRING:

az functionapp config appsettings set -n $(FunctionName) -g $(FunctionResourceGroupName) --settings "APPLICATIONINSIGHTS_CONNECTION_STRING=$(ApplicationInsightsImbasConnectionString)"