If you search using Google for “azure function app key deploy arm” or even Bicep, you will get some older results saying that it is not possible to do, that you have to enter app keys manually after deploy. That is not true anymore.
As always, just scroll down to the Bicep if that is what you are looking for.
Why do this?
When you call an Azure Function with just the minimum level of security, you supply a key. Either as a query parameter named code or as a header named x-functions-key. You can easily get a key from the function and just use the _master or default. However, from a maintainance perspective it is useful to have separate app keys for every consumer (such as your organization’s API manager).
You simply add a key and name it something that tells you how the key is used, such as ourAPIm-DEV. Now you need to deploy this app key to TEST and PROD as well, so you want to use Bicep for that. Here is how you do it:
The solution
@secure()
param functionAppKey string
var functionAppName = 'MyFunctionName'
var functionAppKeyName = 'MyAppKeyName'
resource FunctionAppName_default_keyName 'Microsoft.Web/sites/host/functionKeys@2022-03-01' = {
name: '{functionAppName}/default/{functionAppKeyName}'
properties: {
name: functionAppKeyName
value: functionAppKey
}
}
The secret is that the function key settings is not under Microsoft.Web/sites but under Microsoft.Web/sites/host which is really confusing. Especially since the Microsoft.Web/sites/host is always default. The way you achieve this is to use some clever naming instead of using the parent property.
My bicep is shortened for this post, you should use parameters instead, such as the key name and the function name.
Lastly, use different values for different environments then give the key to the consumer.