How to secure azure function with http trigger?

Question

I've a .net based azure function with http trigger that is just doing some basic db queries. I am invoking the function from my azure-pipeline.yml file in deploy stage.

The issue right now is that the function is not secure and anyone can call it. I want to secure it somehow so that I can only call it from my pipeline (using the token probably). But I want to know what's the best approach for this? Any sample link would be appreciated.

Also should I go with AD based authentication (probably client credential flow)? If yes, what's the best way to store credentials?

Answer 1

1, Just Create your http trigger with 'function' auth type, and then copy the function key:

{
  "bindings": [
    {
      "authLevel": "function",
      "name": "req",
      "type": "httpTrigger",
      "direction": "in",
      "methods": [
        "get",
        "post"
      ]
    },
    {
      "name": "$return",
      "type": "http",
      "direction": "out"
    }
  ]
}

2, Store it in DevOps Library, and secure it:

3, Give the permission

4, Call the function http trigger successfully:

pool:
  vmImage: 'windows-latest'

variables:
- group: FunctionKeys

steps:

- script: |
   pip install requests
   
  displayName: 'Install requests'

- task: PythonScript@0
  displayName: 'Run a Python script'
  inputs:
    scriptSource: inline
    script: |
     import requests
     import os
     
     code = os.environ['code'] #get the env variable.
     
     url = "https://bowmancallfunction.azurewebsites.net/api/HttpTrigger1?code="+code
     
     payload={}
     headers = {}
     
     response = requests.request("POST", url, headers=headers, data=payload)
     
     print(response.text)