Azure Functions allows you to use keys to restrict access to your function endpoints. Unless the HTTP access level of an HTTP-triggered function is set to anonymous, requests must include an access key.
Understanding Access Keys
The scope of an access key and the actions it supports depend on its type.
| Key type | Key name | Action | Description |
|---|---|---|---|
| Function |
default or user defined |
Execute specific function | Grants access only to a specific function endpoint. |
| Host |
default or user defined |
Execute any function | Grants access to all function endpoints within a function app. |
| Master | _master |
Call an admin endpoint | A special host key that also provides administrative access to the runtime REST APIs in a function app. |
| System | Depends on the extension | Call durable task extension APIs or extension - specific webhook | Certain extensions require a system-assigned key to access webhook endpoints. These system keys are intended for extension-specific function endpoints invoked by internal components. |
Selecting the Authentication Level
When creating an HTTP-triggered function, you must choose an authentication level. This determines whether requests require an access key. The available options typically include:
- FUNCTION – Requires a function-specific access key.
- ANONYMOUS – Allows open access with no authentication.
- ADMIN – Requires the master key for access.
During the function creation process, you may see a prompt similar to this:
Selecting FUNCTION ensures that access to the function requires a valid function key.
Checking Authorization in Code
import azure.functions as func
import datetime
import json
import logging
app = func.FunctionApp()
@app.route(route="api_test", auth_level=func.AuthLevel.FUNCTION)
def api_test(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
return func.HttpResponse("This HTTP triggered function authenticated and executed successfully", status_code=200)
The auth_level=func.AuthLevel.FUNCTION setting ensures that the function requires authentication using a function-level access key.
Sending Requests with an Access Key
When making a request to a function with authentication enabled (i.e., auth_level=func.AuthLevel.FUNCTION), you must include the access key in the x-functions-key header.
Example using curl
curl -X GET "https://<your-function-app>.azurewebsites.net/api/api_test" \
-H "x-functions-key: YOUR_ACCESS_KEY"
Example using Python (Requests library)
import requests
url = "https://<your-function-app>.azurewebsites.net/api/api_test"
headers = {
"x-functions-key": "YOUR_ACCESS_KEY"
}
response = requests.get(url, headers=headers)
This ensures that only clients with the correct access key can invoke the function.
Get your function access keys
You get get your Access keys from Azure Portal.
- Sign in to the Azure portal, then search for and select Function App.
- Select the function app you want to work with.
- In the left pane, expand Functions, and then select App keys.
The App keys page appears. On this page the host keys are displayed, which can be used to access any function in the app. The system key is also displayed, which gives anyone administrator-level access to all function app APIs.
Top comments (0)