Is there a way to secure an Azure Function that will only be called from a specific Azure Logic App?

后端 未结 2 400
情书的邮戳
情书的邮戳 2020-12-06 13:54

I understand that Azure Functions are potentially open endpoints on the internet if I read Microsoft’s documentation correctly and per conversations with a friend who has so

相关标签:
2条回答
  • 2020-12-06 14:07

    Firstly, even though using keys might be convenient, I see that official documentation advises against using keys to secure function endpoint in production scenarios.

    I suggest it would be a better choice to go with Azure Active Directory for security.. as explained here Secure an HTTP endpoint in production

    How to Implement

    I see two possible approaches:

    1. Simple Approach: Check that calling application is your Azure logic app specifically

    Enable Azure Active Directory Authentication for your Azure Function App. You can simply use Express settings (with create a new Azure AD app)

    Enable Managed Service Identity for your Logic App.

    Find out appid for Managed Service Identity associated with your logic app.. go to Azure Portal > Azure Active Directory > Enterprise Applications > All Applications > Relevant Service Principal (Explained in more detail with screenshots in another SO post here)

    Authenticate your logic app to Azure function using Managed Service Identity as explained here.. Authenticate with managed identity in logic app.. note that resource being accessed will be your Azure function.

    In your function code, now you can check that appid claim in access token should exactly match the appid for logic app (i.e. logic app is the one calling your function).. otherwise you can reject the call with Unauthorized exception.

    2. A more declarative Approach: Have an application permission defined for Azure function app and check for this permission/role being present in auth token from client calling your function

    This approach is a little more declarative, as you define an application permission that needs to be assigned to any application that can call your Azure function.

    Enable Azure Active Directory Authentication for your Azure Function App. You can simply use Express settings (with create a new Azure AD app)

    Now go to Azure Active Directory > App Registrations > App registration for your function app > Manifest

    Add a new application role.. using json like this:

    "appRoles": [
    {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "Can invoke my function",
      "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
      "isEnabled": true,
      "description": "Apps that have this role have the ability to invoke my Azure function",
      "value": "MyFunctionValidClient"
    }]
    

    Enable Managed Service Identity for your Logic App.

    Find out appid for Managed Service Identity associated with your logic app.. as already explained in approach 1 above

    Assign the app permission to this managed service identity..

    New-AzureADServiceAppRoleAssignment -ObjectId <logicappmsi.ObjectId> -PrincipalId <logicappmsi.ObjectId> -Id "fc803414-3c61-4ebc-a5e5-cd1675c14bbb" -ResourceId <yourfunctionaadapp.ObjectId>
    

    Authenticate your logic app to Azure function using Managed Service Identity.. as already explained in approach 1 above

    Now, in the auth token received by your function, you can check that the role claims collection must contain a role named "MyFunctionValidClient" otherwise you can reject the call with Unauthorized exception.

    0 讨论(0)
  • 2020-12-06 14:09

    In addition to the above steps explained by @Rohit Below step is important:

    Go to Host.json of the function. Default authLevel : "function" should be changed to "authLevel": "anonymous".

    This does not mean anyone can access the function as with Log on AD sign-in authentication required sign user however with managed identity in logic app function authenticate with service principle.

    0 讨论(0)
提交回复
热议问题