-
Notifications
You must be signed in to change notification settings - Fork 441
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How do I get admin end point and master key when running in container #4147
Comments
@maiqbal11 - can you please help with this? |
@maiqbal11 , |
@VenkateshSrini, what scenario are you looking to enable with this specifically? Running Functions in a Docker Desktop container is not one of our mainline scenarios so we'd have to look more deeply into this. We have documentation on how you can access keys via the admin endpoint (major changes to this are coming shortly):
|
cc @mathewc @balag0 |
My scenario is very simple. I work for an service company that serves a big enterprise client. The client is still not 'all' into public cloud. They would soon make a choice on their public cloud vendor. Now they have docker and kubernetes in their in house web farm. They want to go for serverless and they are exploring options of which is the best serverless platform that would give them identical benefits both in public cloud and private cloud (Kubernetes). At present the client likes the simple programing model of Azure functions, the power f durable functions and extension points in terms of custom trigger and bindings provided by azure But at the same time, they see that there are a variety of security options available in Public cloud. Also by providing access to the admin point they also get to do more. Since it is the same run time and same code that runs in cloud and local they would go for azure function if they are able to teach Admin endpoints even in their local hosted container Now to get access to admin end point in Azure function (Whether in cloud or in container) you need to have access to the Master key. In azure we can take this from configuration blades. However, when running the same locally, the expectation is can we set this key through environment, so that using this key we can control the admin endpoint of functions hosted in a container. At present we are not able to do this. We do not have SCM or KUDU when accessing the functions on a container deployed locally (not on Azure ) |
@VenkateshSrini Here are some ways you can achieve that today as a workaround. I understand that none of these are really good solutions and we should provide some better way to expose this. I'm working with @fabiocav to try to find a worklfow that makes sense. Option 1: Creating
|
If you're using Kubernetes, then you can do something like this apiVersion: v1
kind: Secret
metadata:
name: azure-functions-secrets
type: Opaque
stringData:
host.json: |-
{
"masterKey": {
"name": "master",
"value": "MASTER_KEY",
"encrypted": false
},
"functionKeys": [ ]
}
httpTrigger.json: |-
{
"keys": [
{
"name": "default",
"value": "A_FUNCTION_KEY",
"encrypted": false
}
]
} Then you should be able to mount that as a volume by adding that to your pod specs spec:
containers:
- name: {azure-functions-container-name}
image: {your-container-image}
volumeMounts:
- name: secrets
mountPath: "/azure-functions-host/Secrets"
readOnly: true
env:
- name: AzureWebJobsSecretStorageType
value: files
volumes:
- name: secrets
secret:
secretName: azure-functions-secrets I haven't tested this yet, but I'll do tomorrow. It's really just a variation on Option 2 from above, just using kubernetes default mount-secrets-as-volumes |
NO real time execution from on premise Kubernetes or Cloud foundry cluster. |
Thanks a ton. I tried the same in local by modifying the environment using local.settings.json file. It worked. My next target will be to add the same in docker and test |
@VenkateshSrini , what do you mean by "I tried the same in local by modifying the environment using local.settings.json file"? Is there an easier way to inject function keys when testing a function locally in a docker container (Linux)? And what about deploying the container to production in AKS - how should the secrets be configured there? Using Kubernetes secret and mounted volume or there is another better way? |
You can see all the options stated above. In AKS to the best of my knowledge, please use mounted volumes. Another approach that strikes me now but yet to try it, we can use Azure Vault as a key store and mount the same as Flex volumes. Please see this blog |
I've used the approach above and it works great until I had an anonymous auth level on an httptrigger function that expected a query param of |
hi @ahmelsayed, is there any other option in 2022? I noticed that |
Yes what is the best way to achieve this in 2022? We are trying to hit an admin endpoint on a Function App hosted in Kubernetes. Thanks! |
Please what is the best way to do this in 2023. There is no clear documentation on how to do this on the docs. We are trying to hit the admin endpoint and we are just hitting unauthorised. |
What is the best way to achieve this in {insert your year} x3? |
I have already successfully stored/read the master key in Azure KeyValut. And I like to share my experience.
|
Here is the solution I synthesized from the EXTREMELY HELPFUL above conversation: in your environment:
- AzureWebJobsSecretStorageType=files # looks for secrets under /azure-functions-host/Secrets/ in your # for local run - create a known key ('test') for x-functions-key
RUN mkdir -p /azure-functions-host/Secrets/
RUN echo '{"masterKey":{"name":"master","value":"test","encrypted":false},"functionKeys":[]}' > /azure-functions-host/Secrets/host.json This worked, so that now I can use the value |
Thank you, @cmcconomyfwig. Your post was extremely helpful. I simplified this a little more and set the environment variable along with the commands to produce
|
@cmcconomyfwig your solution above means that your container isn't really suitable for production, only local testing. If you instead use environment variables and mount a host.json with the master key it means you can build the container once, run it locally using a known "test" master key, and then deploy the same container to Azure where it will run correctly with the master key from the environment |
Hi @changeforan - Thanks for the help with the Secret method , much useful . Will try it out . I do have quick couple of questions based on your comments.
|
any leads on how to make authenticated call via api key in azure container apps? basically the same function app running in container on azure container apps? |
I'm running Azure function in container. I want to retrieve the master key and hit the admin endpoint for the function running in container. How do I do that?
Investigative information
Please provide the following:
Repro steps
Provide the steps required to reproduce the problem:
Expected behavior
I should be able to access the and I should be able to retrieve the admin end point
Actual behavior
Provide a description of the actual behavior observed.
The Azure function admin endpoint is not accessible inside Docker container
Known workarounds
None
The text was updated successfully, but these errors were encountered: