I've been reading up a bit on the Azure Functions, and I was wondering how we can control/prevent the Azure Function from accessing specific resources.
The documentation does mention authentication against the Azure Function, so that for instance a specific client ID and secret is being used to be able to use the Function. This is only the frontend though.
I want to make sure that the Function is limited by a set of permissions towards the backend.
For instance:
I want to the Azure Function to only have permissions to start/stop/restart servers in 1 resource group.
I want the Azure Function to only be allowed to read, write on virtual machines within 1 resource group.
Basically, I want to put RBAC on the Function to prevent it from ever being able to be abused/used on accident or maliciously on resources it shouldn't.
It doesn't get mentioned in the documentation. So I can make the assumption that whatever permissions are assigned to the application/service principal, which is used to call the function, is whatever limitation the Azure Function has. But I would rather not assume or guess, because that could involve some security concerns as I am looking towards the possible use of Azure Functions for a project I'm working on.
ColbyTresness
commented
5 years ago
Hi,
I've been reading up a bit on the Azure Functions, and I was wondering how we can control/prevent the Azure Function from accessing specific resources. The documentation does mention authentication against the Azure Function, so that for instance a specific client ID and secret is being used to be able to use the Function. This is only the frontend though. I want to make sure that the Function is limited by a set of permissions towards the backend.
For instance:
Basically, I want to put RBAC on the Function to prevent it from ever being able to be abused/used on accident or maliciously on resources it shouldn't.
It doesn't get mentioned in the documentation. So I can make the assumption that whatever permissions are assigned to the application/service principal, which is used to call the function, is whatever limitation the Azure Function has. But I would rather not assume or guess, because that could involve some security concerns as I am looking towards the possible use of Azure Functions for a project I'm working on.