Secure your azure function with keys
Azure functions allow us to create http trigger functions to use them as an API endpoints. So it’s important to secure those endpoints from unwanted access and traffic.
Azure functions can be secured in following ways.
- Using keys
- Using identity providers (with jwt token) like Microsoft
- Using keys and tokens, both
We are going to secure azure functions using keys today. I will cover token based authentication in another article.
Let’s discuss about Authorization levels in azure functions first. The first parameter of the HttpTrigger attribute in azure function is the type of authorization that is required for calling the function. AuthorizationLevel is an enum and can take following values.
- Anonymous: No authentication required
- Function: Authorization at function level
- User: Authorization at user level
- System: Authorization at function app level
- Admin: Admin authorization.
Azure function app can host more than one functions. Http trigger function is one of them.
Let’s now create a function app project and add an http trigger function. You can create a function app and scaffold an http trigger function (using azure functions core tools in VS Code or Visual Studio). I am going to use target framework as .Net 6 and function version v4. Change authorization level to AuthorizationLevel.Function if it is set to something else. We are going to call this function endpoint using function key specific to this function.
public static class SayHello
{
[FunctionName("SayHello")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "get", Route = null)] HttpRequest req,
ILogger log)
{
return new OkObjectResult("Hello there!");
}
}Create a function app in azure portal (GreetAzFunction in my case). You would require a working subscription in azure for this. Publish this function to azure function app. This is pretty simple, you can do it directly from Visual Studio or VS Code.
Let’s talk about keys now.
App Keys
When we create an azure function app, it creates two app keys automatically, default and _master. These are called host keys. Host keys are applicable to all the functions within the function app and can be used to call all functions within the function app.
Function Keys
Any azure function (without AuthorizationLevel.Anonymous) you add within function app, will generate a function key named default, valid only for this particular function.
Each key is named for reference, and there is a default key (named default) at the function and host level. Function keys take precedence over host keys. When two keys are defined with the same name, the function key is always used.
Each function app also has an admin-level host key named _master. In addition to providing host-level access to all functions in the app, the master key also provides administrative access to the runtime REST APIs. This key cannot be revoked. When you set an access level of admin, requests must use the master key. Any other key results in access failure.
Note: Due to the elevated permissions in your function app granted by the master key, you should not share this key with third parties or distribute it in native client applications. Use caution when choosing the admin access level.
Lets discuss authorization levels again with respect to keys.
Anonymous: No authentication is required so no key required while calling the function.
Function: Give access to specific function only. A function key or host keys can be used.
Admin and System: These levels works with Host Keys rather than function keys. These levels will have access to all the functions in the function app unlike function keys which only works for specific function.
User : Allow access to requests that include a valid authentication token
Note: These keys should not be used with client-side applications like single page apps, doing so might compromise these keys. Use these keys when making request from server-side applications. It is advised to use token based authentication when calling from client side application. I will cover this topic in another article.
Lets now call http function “SayHello” using it’s function key.
Copy the default function key from “SayHello” function from azure portal.
You can specify key in two ways while calling the endpoint:
Using query parameter “code” in request url:
https://<function-app-name>.azurewebsites.net/api/<function-name>?code=<key>
Using key in request header as “x-functions-key”:
Note: The azure function name and function key used here are from my personal azure subscription and stand invalid now.
You don’t need any key when calling http trigger function hosted in local runtime (Visual Studio or VS Code).
Source code used here can be found on git hub: https://github.com/iamsandeepkmr/AzureFunctionWithKeys
I hope you enjoyed the article. Comment for any query or feedback. Please clap if you liked it.
Cheers!
