Chapter 7. Security

So far, we have allocated resources and deployed endpoints for our serverless applications without paying much attention to who can access them. But when working with serverless projects, security is extremely important. Not only should you manage who has rights to access information, but you must also take into consideration the possibility of abuse, which could cause the costs of the servers to escalate proportionally to the workload unless you have established limits.

Azure Functions Authorization Levels

Our first step should be to pay a little more attention to the authorization level of our deployed functions.

When we create a new function in our Function App with the command func new, we can see in its function.json definition file that the authentication level by default is anonymous:

{
  "scriptFile": "__init__.py",
  "bindings": [
    {
      "authLevel": "anonymous",
      "type": "httpTrigger",
      "direction": "in",
      "name": "req",
      "methods": [
        "get",
        "post"
      ]
    },
    {
      "type": "http",
      "direction": "out",
      "name": "$return"
    }
  ]
}

For any level that is not anonymous, an access key must be provided whenever the function is called. So, instead of using just the URL with its parameters, we must also add a token; for example:

https://testkeysfaas.azurewebsites.net/api/HttpTrigger1?code=o/
    dFoKcpqw3aNMuV3uRFi2qLJdVvr226HXlWs8FkFMGwL63J1ie2dw==

There are two main levels for keys:

Host

Defined for the whole Function App

Function

Defined just for a function

The authLevel parameter ...

Get Building Intelligent Cloud Applications now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial