Getting Function Key in ARM Template - Fails Intermittently

1
votes

Hi I am getting the Function Key and Trigger Url as Output in our Arm Template, using the following code.

>     "outputs": {
>     "Key": {
>       "type": "string",
>       "value": "[listsecrets(resourceId('Microsoft.Web/sites/functions',
> variables('funcName'),
> parameters('NameOfService')),'2015-08-01').key]"
>     },
>     "functionUrl": {
>       "type": "string",
>       "value": "[listsecrets(resourceId('Microsoft.Web/sites/functions',
> variables('funcName'),
> parameters('NameOfService')),'2015-08-01').trigger_url]"
>     }   }

We have the 'AzureWebJobsSecretStorageType' set to 'Files' in the App Settings as it doesn't work without it in Functions v2, when we execute the ARM template, it works sometimes but other times it throws the following error, not sure what's it's problem, the ARM template is valid as it does work and I can see the Function is successfully deployed in the Azure portal as well, so not sure why exactly it fails, any clues?

[error]BadRequest: { "error": { "code": "BadRequest", "message": "System.FormatException: unable to decrypt CfDJ8AAAAAAAAAAAAAAAAAAAAAB93sc99M4b_klhBWrLMfQYRpSN9, the key is either invalid or malformed ---> System.Security.Cryptography.CryptographicException: The payload was invalid.\r\n at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)\r\n at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment1 ciphertext, ArraySegment1 additionalAuthenticatedData)\r\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)\r\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)\r\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)\r\n at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData)\r\n at Kudu.Core.Infrastructure.SecurityUtility.DecryptSecretString(String content) in C:\Kudu Files\Private\src\master\Kudu.Core\Infrastructure\SecurityUtility.cs:line 40\r\n --- End of inner exception stack trace ---\r\n at Kudu.Core.Infrastructure.SecurityUtility.DecryptSecretString(String content) in C:\Kudu Files\Private\src\master\Kudu.Core\Infrastructure\SecurityUtility.cs:line 45\r\n at Kudu.Core.Functions.FunctionManager.d__91.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Core\\Functions\\FunctionManager.cs:line 203\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Kudu.Core.Functions.FunctionManager.<GetFunctionSecretsAsync>d__12.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Core\\Functions\\FunctionManager.cs:line 220\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Kudu.Services.Functions.FunctionController.<GetSecrets>d__12.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Services\\Functions\\FunctionController.cs:line 141\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Threading.Tasks.TaskHelpersExtensions.<CastToObject>d__31.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ApiControllerActionInvoker.d__0.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__0.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__0.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ActionFilterResult.d__2.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ExceptionFilterResult.d__0.MoveNext()" }

2
azureazure-functions

2 Answers

1
votes

I Found what was causing this, it was happening during fresh deployments of Function only i.e. when I deleted the function app and then tried the deployment I hit this issue, reason was that I was just deleting the Function App not the Storage Account related to it, so the old storage account was keeping some information about the deleted Function App (I assume) and things got messy, the moment I started deleting the storage account with the Function App the issue went away. Just to add that Storage account is dedicated to this Function App and isn't used by anything else.

0
votes

Based on your error message, I assume the function key looks like CfDJ8AAAAAAAAAAAAAAAAAAAAAB93sc99M4b_klhBWrLMfQYRpSN9. However, this key format doesn't make sense. I've got into the same situation a few times. The key looked exactly like yours.

In that case, the key itself is malformed. It sometimes happens. Therefore the only solution for this is to renew the key. Then it'll be looking a normal base-64 encoded one.