Azure DevOps: How to update the Azure Function default Host Key in a PowerShell task

January 21, 2019, (updated on January 25, 2019), 2 comments, Software Development

For a recent project I dynamically create new Azure Functions in an Azure DevOps release pipeline. One of the requirements was to automatically update each default Host Key to a given value so that it’s easier to access the newly created HTTP functions. Because there is no easy out-of-the-box API in Azure CLI or Azure PowerShell, I wanted to share the final solution here.

To update the default Azure Function Host Key in an Azure PowerShell build/release task, just follow these steps:

1. Create a new “Azure PowerShell” task in your Azure DevOps build or release pipeline

2. Choose an “Azure Subscription” which has privileges to access the resource

3. Under “Azure PowerShell Version” use the “Latest installed version”

4. Use “Inline Script” and insert the following script:

$functionName = "my-azure-function";
$resourceGroup = "my-azure-function-resource-group";
$functionHostKey = "my-new-function-host-key";

$publishingCredentials = Invoke-AzureRmResourceAction -ResourceGroupName $resourceGroup -ResourceType "Microsoft.Web/sites/config" -ResourceName "$functionName/publishingcredentials" -Action list -ApiVersion 2015-08-01 -Force
$authorization = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $publishingCredentials.Properties.PublishingUserName, $publishingCredentials.Properties.PublishingPassword)))
$accessToken = Invoke-RestMethod -Uri "https://$" -Headers @{Authorization=("Basic {0}" -f $authorization)} -Method GET

$data = @{
"name" = "default"
"value" = "$functionHostKey"
} | ConvertTo-Json;

$response = Invoke-RestMethod -Method PUT -Headers @{Authorization = ("Bearer {0}" -f $accessToken)} -ContentType "application/json" -Uri "https://$" -body $data

Update the variables $functionName, $resourceGroup and $functionHostKey to your liking – you can also use build variables, e.g. $(Build.BuildNumber):

As you can see, this script retrieves the Kudu credentials from your App Service to retrieve an access token.
With this access token it then calls the Azure Function’s key management API to update the default host key.

Tags: , , ,

2 responses to “Azure DevOps: How to update the Azure Function default Host Key in a PowerShell task”

  1. Great Job Rico, this is really helpful, thank you for filling the gaps! One remark to improve it, the output of the last call will show in the Azure DevOps logs. To prevent that I did the following:
    $response = Invoke-RestMethod -Method PUT -Headers @{Authorization = (“Bearer {0}” -f $accessToken)} -ContentType “application/json” -Uri “https://$(functionAppName)” -body $data

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see

This site uses Akismet to reduce spam. Learn how your comment data is processed.