What's the closest equivalent in Azure to an AWS Lambda, that is only accessible with a given IAM role?
It looks like Azure Functions are fairly wide open by default (like a Lambda + API gateway as a single resource), and I'm wondering how to best replicate the kind of behavior where a function is only available to a service principal or a user already authenticated with Azure.
There are several things you can do to secure Functions. You can enable app service authorization and authentication, deploy them in App Service Environments, and restrict with Function keys.
https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=csharp#secure-an-http-endpoint-in-production
Related
I am starting with the Azure function in which I am creating API Function. After creating that function, I need to protect it.
Previously, I used the Microsoft.Identity.Platform to protect API's recourses, in which I created a registration in Azure AD for API, exposed the scopes, added the client apps in the list to provide access to the resources. Furthemore, it required to confirmation for 'API permission' in client app's Azure AD registration.
So, is there anything similar can I do, and do you think it would be a good option or if there are other options to pick from?
I read about the function key, but I read it is good for development not good for production.
I read about the function key, but I read it is good for development not good for production.
As you can see in this MS Doc, Microsoft mentioned that Authorization keys along with App Service Authentication is good for securing the HTTP Endpoints on all the stages like dev, testing and production environments in Azure Functions.
Also, there are multiple ways to secure your function API such as Authorization Keys, using APIM, (Front door + WAF) for restricting the incoming requests.
One of my workarounds 72633969 shows in securing the Azure functions in the context of restrict the function app from internet access and allow only from the APIM Instance.
The Steps I followed for the above solution in securing the Azure Function App APIs through APIM is:
Created a Http Trigger Function in the Function App.
Adding the allowed IP Addresses in the Access Restrictions of the Azure Function App Portal Menu > Networking Tab.
Set the Authorization Level of API to the "Function" Level or Custom key-value level that adds more security after adding to APIM Instance.
Added/Imported the Function API in APIM Instance and checked from the allowed IP addresses and also non-allowed IP address (System):
And more information on securing APIs using APIM Instance is given in the above Microsoft Documentation.
Authorization keys are a default security mechanism which is better if keys not published in public applications or publicly shared.
For better security mechanism, choose different options for the production environment. the other ways should be followed from the above-mentioned comment and refer to MS Q&A Forum 801055 provided the same by the user #LohithGN.
I am hosting my Azure Functions as containers in my AKS cluster. Some of my functions have HTTP Triggers, and I don't want them exposed publicly (although security is not a huge concern so I also don't want to roll my own token authentication in there). These functions have never been deployed to Azure App Services, so there is no "Function App" and no "Function Name" that I can use to get a token (other than the Function Name that I put in the attribute on the methods in my code).
How can you access authorization keys for Azure Functions that are hosted in AKS?
You should be able to do this by setting AzureWebJobsSecretStorageType=kubernetes and reference your custom key via secret AzureWebJobsKubernetesSecretName=my-key-secret. This was introduced by this PR which documents that quite well: https://github.com/Azure/azure-functions-host/pull/4462
Anyone has suggestions on how to implement automated key rotation for service account credentials used in the cloud function, AppEngine, GKE.
GCP has added this as one of the recommended security policies for cloud-native services. We can find APIs/client libraries to generate a new private key for the existing service account. But we don't really get how to update the newly generated key on the application deployed in AppEngine, cloud function during runtime.
When you are on Google Cloud components, you don't have to use service account key files. It's a bad practice (even if presented as "standard" in too many tutorials, even Google Cloud tutorials!).
A service account key file is a nightmare to manage. It's a file. You can copy it, you can send it by email, you can even commit it in source repository (maybe public repo!!). In addition, you need to keep it secure and to rotate it regularly...
The best way to simplify this, is to not use them and to rely on Google Cloud component identity. Of course, for all external component, like a CI/CD, an on prem app (or on other cloud provider), the service account key file is the best way to be authenticated on Google Cloud
For Cloud Functions, you can use Cloud Functions Identity
For GKE, you can use Workload Identity
For App Engine, you can rely on the App Engine default service account
For you local development, perform a gcloud auth application-default login to create a default credential with your own user account
In each case, you can recover the default credential in your code. (here an example of a simple credential, without client library, only Google OAuth2 lib)
Note: For some operation, App Engine default service account isn't usable (generate an identity token based on metadata servers or changing the scope of the access_token). For this, I recommend you to impersonate service accounts instead of using service account key file
I have an Azure API Management service communicating with Azure functions runtime v1. Currently when i deploy a new version of the Function App (using CI/CD pipeline in Azure Devops, and using built-in microsoft tasks), the function keys (including master key) change. Consequently, the key that the API Management's api is injecting in the requests to the function is not longer valid, and i get a 401 - Unauthorized. So, i have at the moment a task in the pipeline to update these keys anytime i deploy the Function App. The API Management provides a feature to enable Managed Identity, but when i try to create a role assignment in the Function App to the API Management, under the System assigned managed identity, i don't have the option for API Management service. So i presume it is not possible to setup this role assignment between the two services, right? If not, then is there any suggestion for a workaround to avoid manage keys for the communication between API Management service and Azure Functions?
Thanks
UPDATE
Managed Identity can now be used by leveraging the authentication-managed-identity policy.
Yes. Managed Identity cannot be used here.
One alternative would be to protect your function app with an IP restriction using the APIM Instances IP which guaranteed to be static as long as it isn't recreated and setting the function to be an anonymous function.
Note that you might have problems accessing the function from the portal too for which you would have to allow the public IP of the computer you are using to access if required.
Another option would be to
Setup authentication for your function app
Have APIM get an access token with the Client Credentials Flow using the send-request policy
Set this access token in the header to call the anonymous function
You could probably try caching this access token using the cache policies.
I just wrote my first app with Azure. Just a small function app calling the IoT service and suddenly it hit me - I didn't have to create any IAM role or anything. The app just worked. I tried to look up the IAM service on Azure, but found nothing. This would never fly with AWS or Google Cloud. Does Azure have any IAM-like management anywhere? If my app has a bug that allows remote server-side code execution, does it mean that the attacker will basically gain access over my entire Azure account?
Azure does have role based access control and managed service identity (identity you assign to azure services, not all of the services have that yet). If you are using connection strings (usual pattern) nothing would happen if your app gets compromised. Attacker would be able to talk to your IoT Hub (or whatever you were using).
If you are using managed service identity then the attacker could, in theory, act on behalf of that identity. So if you grant all permission to that identity - then yes. Attacker would be able to do anything.
If your application talk to Azure REST Api directly to create\modify resources and gets compromised - attacker would, in theory, have the same rights as the application.
Having said that, I dont think Azure is any way less secure then AWS or GCP. Unless you grant the app all the permissions in the world - it has none to actually manage Azure.