Getting Function Key in ARM Template - Fails Intermittently

[sajid08]

Hi I am getting the Function Key and Trigger Url as Output in our Arm Template, using the following code.

"outputs": {
    "Key": {
      "type": "string",
      "value": "[listsecrets(resourceId('Microsoft.Web/sites/functions', variables('funcName'), parameters('NameOfService')),'2015-08-01').key]"
    },
    "functionUrl": {
      "type": "string",
      "value": "[listsecrets(resourceId('Microsoft.Web/sites/functions', variables('funcName'), parameters('NameOfService')),'2015-08-01').trigger_url]"
    }
  }

We have the 'AzureWebJobsSecretStorageType' set to 'Files' in the App Settings as it doesn't work without it in Functions v2, when we execute the ARM template, it works sometimes but other times it throws the following error, we have observed that mainly it's when we are deploying the Function App for the first time that this issue occurs, if I run the same template after a minute or so, it works fine.

[error]BadRequest: { "error": { "code": "BadRequest", "message": "System.FormatException: unable to decrypt CfDJ8AAAAAAAAAAAAAAAAAAAAAB93sc99M4b_klhBWrLMfQYRpSN9, the key is either invalid or malformed ---> System.Security.Cryptography.CryptographicException: The payload was invalid.\r\n at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)\r\n at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment1 ciphertext, ArraySegment1 additionalAuthenticatedData)\r\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)\r\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)\r\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)\r\n at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData)\r\n at Kudu.Core.Infrastructure.SecurityUtility.DecryptSecretString(String content) in C:\Kudu Files\Private\src\master\Kudu.Core\Infrastructure\SecurityUtility.cs:line 40\r\n --- End of inner exception stack trace ---\r\n at Kudu.Core.Infrastructure.SecurityUtility.DecryptSecretString(String content) in C:\Kudu Files\Private\src\master\Kudu.Core\Infrastructure\SecurityUtility.cs:line 45\r\n at Kudu.Core.Functions.FunctionManager.d__91.MoveNext() in C:\Kudu Files\Private\src\master\Kudu.Core\Functions\FunctionManager.cs:line 203\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Kudu.Core.Functions.FunctionManager.<GetFunctionSecretsAsync>d__12.MoveNext() in C:\Kudu Files\Private\src\master\Kudu.Core\Functions\FunctionManager.cs:line 220\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Kudu.Services.Functions.FunctionController.<GetSecrets>d__12.MoveNext() in C:\Kudu Files\Private\src\master\Kudu.Services\Functions\FunctionController.cs:line 141\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Threading.Tasks.TaskHelpersExtensions.<CastToObject>d__31.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ApiControllerActionInvoker.d__0.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__0.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Filters.ActionFilterAttribute.d__0.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ActionFilterResult.d__2.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at System.Web.Http.Controllers.ExceptionFilterResult.d__0.MoveNext()" }

[janisBerz]

We sometimes have the same error System.FormatException: unable to decrypt with pretty much have the same arm template and Azure function v2. Workaround - restart the function app.

[janisBerz]

There were instances where function app restart did not work as a workaround. After chaining the listsecrets ARM function to listkeys I have not seen the error anymore.

Example:

 "value": "[listKeys(resourceId('Microsoft.Web/sites/functions', parameters('functionAppName'), 'Api'),'2019-08-01').default]"

[renenaplava]

I believe I've found the root cause of this issue. The problem is with the key itself. From my observation, it can't contain underscore character (_). For example, when my key was something like j1_kR-jfskmp_cSzrjBJ... I got the same error every deployment. But regenerating the key to something without the underscore solved the problem!!!