Microsoft Azure Functions · Arazzo Workflow

Rotate a Function Key and Confirm It

Version 1.0.0

Create or update a named function key, then list the function keys to confirm the new value is in place.

1 workflow 1 source API 1 provider
View Spec View on GitHub AzureCloudComputeEvent-DrivenMicrosoftServerlessArazzoWorkflows

Provider

microsoft-azure-functions

Workflows

rotate-function-key
Set a named function key and confirm it via the key listing.
Creates or updates a single function key and then lists the function's keys to confirm the rotation took effect.
2 steps inputs: apiVersion, functionName, keyName, keyValue, name, resourceGroupName, subscriptionId outputs: keys, rotatedKeyName, rotatedKeyValue
1
setFunctionKey
WebApps_CreateOrUpdateFunctionSecret
Create or update the named function key. ARM returns 200 when an existing key is updated or 201 when a new key is created.
2
listFunctionKeys
WebApps_ListFunctionKeys
List all keys for the function to confirm the rotated key is present. The response is a StringDictionary whose properties map key names to values.

Source API Descriptions

openapi
azureFunctionsApi https://raw.githubusercontent.com/api-evangelist/microsoft-azure-functions/refs/heads/main/openapi/azure-functions-management-api.json

Arazzo Workflow Specification

microsoft-azure-functions-rotate-function-key-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Rotate a Function Key and Confirm It
  summary: Create or update a named function key, then list the function keys to confirm the new value is in place.
  description: >-
    A secret-rotation flow for a single function's access keys. The workflow
    issues an ARM create-or-update against the sites/functions/keys resource to
    set a named key (optionally to a caller-supplied value, otherwise letting the
    platform generate one), then lists all keys for that function to confirm the
    rotated key is present. Every step spells out its ARM request inline —
    including the required api-version query parameter and the {properties:{...}}
    KeyInfo envelope — so the flow can be read and executed without opening the
    underlying OpenAPI description. All requests are authorized with the
    azure_auth OAuth2 bearer token carried by the Azure Resource Manager
    endpoint.
  version: 1.0.0
sourceDescriptions:
- name: azureFunctionsApi
  url: ../openapi/azure-functions-management-api.json
  type: openapi
workflows:
- workflowId: rotate-function-key
  summary: Set a named function key and confirm it via the key listing.
  description: >-
    Creates or updates a single function key and then lists the function's keys
    to confirm the rotation took effect.
  inputs:
    type: object
    required:
    - subscriptionId
    - resourceGroupName
    - name
    - functionName
    - keyName
    properties:
      subscriptionId:
        type: string
        description: The Azure subscription identifier (GUID).
      resourceGroupName:
        type: string
        description: The resource group that contains the function app.
      name:
        type: string
        description: The name of the function app.
      functionName:
        type: string
        description: The name of the function whose key is being rotated.
      keyName:
        type: string
        description: The name of the key to create or update (e.g. "default").
      keyValue:
        type: string
        description: Optional explicit key value; omit to let the platform generate one.
      apiVersion:
        type: string
        description: The ARM api-version to use for all requests.
        default: "2024-11-01"
  steps:
  - stepId: setFunctionKey
    description: >-
      Create or update the named function key. ARM returns 200 when an existing
      key is updated or 201 when a new key is created.
    operationId: WebApps_CreateOrUpdateFunctionSecret
    parameters:
    - name: api-version
      in: query
      value: $inputs.apiVersion
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: name
      in: path
      value: $inputs.name
    - name: functionName
      in: path
      value: $inputs.functionName
    - name: keyName
      in: path
      value: $inputs.keyName
    requestBody:
      contentType: application/json
      payload:
        properties:
          name: $inputs.keyName
          value: $inputs.keyValue
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      rotatedKeyName: $response.body#/properties/name
      rotatedKeyValue: $response.body#/properties/value
    onSuccess:
    - name: confirm
      type: goto
      stepId: listFunctionKeys
  - stepId: listFunctionKeys
    description: >-
      List all keys for the function to confirm the rotated key is present. The
      response is a StringDictionary whose properties map key names to values.
    operationId: WebApps_ListFunctionKeys
    parameters:
    - name: api-version
      in: query
      value: $inputs.apiVersion
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: name
      in: path
      value: $inputs.name
    - name: functionName
      in: path
      value: $inputs.functionName
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      keys: $response.body#/properties
  outputs:
    rotatedKeyName: $steps.setFunctionKey.outputs.rotatedKeyName
    rotatedKeyValue: $steps.setFunctionKey.outputs.rotatedKeyValue
    keys: $steps.listFunctionKeys.outputs.keys