Have a deployed azure functions with docker compose locally using net6.0.

Need to call the function from another local api service, adding the x-functions-key in the header.

The function has the auth attribute: AuthorizationLevel.Function

How do i find the default or master key for the locally deployed azure function?

I have tried various dummy keys and all sent 401 unauthorized back. I have also found a folder called DataProtection-Keys with a xml file containing keys, but these did not work either.

You have two ways to get the key:

1. Set your own key

Set a master key of your own and pass it into the container, so that the container will always accept that key.

Step 1: Create a test_host_keys.json file locally with the following contents:

{
  "masterKey": {
    "name": "master",
    "value": "test", <-- this will be the host key you use
    "encrypted": false
  },
  "functionKeys": []
}

Step 2: Invoke docker with two extra parameters:

• -e AzureWebJobsSecretStorageType=files to make it use local auth keys
• -v path/to/your/test_host_keys.json:/azure-functions-host/Secrets/host.json to set the custom host keys

(This is an improvement on this answer, since with this you can use the same Dockerfile for local testing and for production)

2. Get it from the running container.

In the container, look inside the /azure-functions-host/Secrets/ folder for a .json file

Read that file to find the default key. It'll look something like the following:

> cat /azure-functions-host/Secrets/[thefile].json

root@5b9250f41cc6:/# cat /azure-functions-host/Secrets/some_trigger.json 
{
  "keys": [
    {
      "name": "default",
      "value": "buoxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==", <-- your key
      "encrypted": false
    }
  ],
  "hostName": null,
  "instanceId": "000000000000000000000000xxxxxxxx",
  "source": "runtime",
  "decryptionKeyId": ""
}

Here a solution I copied from: https://github.com/Azure/azure-functions-host/issues/4147#issuecomment-1660784713

in your compose.yaml, include the following:

    environment:
      - AzureWebJobsSecretStorageType=files  # looks for secrets under /azure-functions-host/Secrets/

in your Dockerfile, include the following three lines:

# for local run - create a known key ('test') for x-functions-key
RUN mkdir -p /azure-functions-host/Secrets/
RUN echo '{"masterKey":{"name":"master","value":"test","encrypted":false},"functionKeys":[]}' > /azure-functions-host/Secrets/host.json

Now you can use the value test for your x-functions-key

You have two ways to get the key:

1. Set your own key

Set a master key of your own and pass it into the container, so that the container will always accept that key.

Step 1: Create a test_host_keys.json file locally with the following contents:

{
  "masterKey": {
    "name": "master",
    "value": "test", <-- this will be the host key you use
    "encrypted": false
  },
  "functionKeys": []
}

Step 2: Invoke docker with two extra parameters:

• -e AzureWebJobsSecretStorageType=files to make it use local auth keys
• -v path/to/your/test_host_keys.json:/azure-functions-host/Secrets/host.json to set the custom host keys

(This is an improvement on this answer, since with this you can use the same Dockerfile for local testing and for production)

2. Get it from the running container.

In the container, look inside the /azure-functions-host/Secrets/ folder for a .json file

Read that file to find the default key. It'll look something like the following:

> cat /azure-functions-host/Secrets/[thefile].json

root@5b9250f41cc6:/# cat /azure-functions-host/Secrets/some_trigger.json 
{
  "keys": [
    {
      "name": "default",
      "value": "buoxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==", <-- your key
      "encrypted": false
    }
  ],
  "hostName": null,
  "instanceId": "000000000000000000000000xxxxxxxx",
  "source": "runtime",
  "decryptionKeyId": ""
}

Further to @filype's answer (ever so slightly beyond the scope of the original question, apologies), if you're using TestContainers .NET as I was when I needed the answer to this question, you can do the following instead of editing your Dockerfile to add the AzureWebJobsSecretStorageType environment variable and generate the Secrets/host.json with a value of your choosing at runtime.

var functionsMasterKey = Convert.ToBase64String(Guid.NewGuid().ToByteArray());

var container = new ContainerBuilder()
    .WithImage(...)
    .WithEnvironment(new Dictionary<string, string>
    {
        { "AzureWebJobsSecretStorageType", "files" }
    })
    .WithResourceMapping(
        Encoding.Default.GetBytes(
            $"{{\"masterKey\":{{\"name\":\"master\",\"value\":\"{functionsTestKey}\",\"encrypted\":false}},\"functionKeys\":[]}}"),
            "/azure-functions-host/Secrets/host.json")
    .Build();

When running locally, you can also just temporarily disable the authorization of the key by setting the authLevel to "anonymous".

• WARNING: If ever the original value for authLevel is different, remember to revert it back once you're done to avoid unexpectedly deploying that change!

Sample function.json

{
  "bindings": [
    {
      "type": "httpTrigger",
      "direction": "in",
      "route": "orders",
      "authLevel": "anonymous"
    },
    {
      "type": "http",
      "direction": "out"
    }
  ]
}

As you are using Authorization.Function in your function, you need Function key to run the deployed function.

Once you deploy the function to Azure function:

• Go to your function app in Azure portal:

• Open the deployed function(eg: Http Trigger)=> Function Keys.

You can find the default key:

Copy the value of the default key and you can use it as value of x-functions-key while calling the function.