Cannot manually create function app SystemKey

[RotateAt60MPH]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Related command az functionapp keys set

Describe the bug Operation returned an invalid status 'Not Found'

To Reproduce

$ az functionapp keys list -g ksdevelopment -n kuvadevsignalr
{
  "functionKeys": {
    "default": "...=="
  },
  "masterKey": "...==",
  "systemKeys": {}
}
$ az functionapp keys set -g ksdevelopment -n kuvadevsignalr --key-type systemKey --key-name signalr_extension
Operation returned an invalid status 'Not Found'

Expected behavior A key should be created. The function app is proven to exist beforehand.

[ynden]

Hey there @RotateAt60MPH,

You can create function & host keys, but not system keys. System keys can only be created by extensions. For example if you create an Event trigger function, you would see a new system key generated.

You can find more details in here: https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4#system-key

Please confirm if that helps, thanks!

[yonzhan]

route to CXP team

[RotateAt60MPH]

@ynden Thanks for the reply. So, only by deploying code to the function app functions that are (in this instance: SignalRTrigger attributed) would create the systemkey signalr_extension? i.e. a pipeline, for example.

[ynden]

@RotateAt60MPH Correct, you would need to deploy your function first. Only then, a system key would be generated by the extension (in your case the signalR extension).

Hope that helps!

[RotateAt60MPH]

hi @ynden

In the case of a pipeline deployment, this gets a bit problematic doesn't it? It appears that the extension key is NOT created magically if the code deployment is via a pipeline task.

What's the best practice for deploying then?

Can I script the key creation in the BICEP script? Problem is there's nothing in the ARM template docs under 'microsoft.web/sites' that says you can. And then there's the problem of the circular reference between the function app appsetting and signalr upstream settings,

Could a pipeline be:

• BICEP script that creates the function app and signalr and creates the extension key as a separate resource.
• Deploy the code.
• Azure CLI task to extract the function appsetting signalr_extension key
• Azure CLI task to inject key into the Azure upstream settings

[ynden]

Hey there @RotateAt60MPH,

You would need to:

1. Create the function app
2. Deploy a function of SignalR binding type. This step is important, because if you just have the function app alone, there would be no SignalR system key. You need to deploy that function code first.
3. Once the function is deployed successfully, extract the signalr_extension system key
4. Inject the key into upstream settings

To summarize, the signalr_extension system key is only going to be generated after your code deployment of a function of type SignalR binding.

[RotateAt60MPH]

@ynden

Ummm, pipeline deploy of code is the problem. My Function App code has lots of SignalR triggered functions, for example:

        [FunctionName(nameof(OnConnected))]
        public async Task OnConnected([SignalRTrigger]InvocationContext invocationContext, ILogger logger)
        {
            invocationContext.Headers.TryGetValue("Authorization", out var auth);
            await Clients.All.SendAsync(NewConnectionTarget, new NewConnection(invocationContext.ConnectionId, auth));
            logger.LogInformation($"{invocationContext.ConnectionId} has connected");
        }

Using the standard pipeline 'AzureFunctionApp' task to deploy the code, the extension key is NOT created. If I manually deploy from VSCode, the extension key is created. Deploying from VSCode all the time into Production isn't an option. :)

Any suggestions?

[ynden]

@RotateAt60MPH,

As mentioned, the only way to have a system key created is through the deployment of the code first, so it's no longer related to azure cli itself.

You mentioned that it was working when deploying with VSCode, but not with Azure Pipeline Task, so I would suggest you open an issue to that specific team (https://github.com/microsoft/azure-pipelines-tasks/issues).

@RakeshMohanMSFT, can you confirm?

[RotateAt60MPH]

Thanks for the advice. Apologies for going off on this tangent,

[FinOCE]

Hey there @RotateAt60MPH,

You would need to:

1. Create the function app
2. Deploy a function of SignalR binding type. This step is important, because if you just have the function app alone, there would be no SignalR system key. You need to deploy that function code first.
3. Once the function is deployed successfully, extract the _signalrextension system key
4. Inject the key into upstream settings

To summarize, the _signalrextension system key is only going to be generated after your code deployment of a function of type SignalR binding.

Has there been a new approach to this added since 2022? This is frustrating needing to use a deployment sandwich to be able to provision my web pubsub hub, as the system key is necessary for its urlTemplate. Is there a way to have the system key generated prior to the code being published to it?