Understanding Function Access Keys in Azure Functions (2024)

Azure Functions provide a way to secure HTTP function endpoints during development using function access keys. These keys are required in the request unless the HTTP access level is set to anonymous. While function keys offer a default security mechanism, other options should be considered for production environments, especially when dealing with public apps.

Key Concepts

1. Function Access Keys

• Purpose: Provide security for HTTP function endpoints.
• Usage: Required in the request unless the HTTP access level is set to anonymous.
• Renewal: When keys are renewed, updated key values must be manually redistributed to all clients calling the function.

2. Authorization Scopes (Function-level)

• Function Keys: Apply only to specific functions, allowing access only to that function.
• Host Keys: Apply to all functions within the function app, allowing access to any function. Host keys take precedence over function keys.

3. Master Key (Admin-level)

• Purpose: Provides host-level access to all functions in the app and administrative access to runtime REST APIs.
• Usage: Set as the access level of admin; requests must use the master key for access.

4. System Key

• Purpose: Required for specific extensions to access webhook endpoints.
• Usage: Generated by specific extensions and generally applies to the entire function app.

5. Keys Comparison

• Function Execution: Specific function - Function key, Any function - Function or host key.
• Admin Endpoint Calls: Host key (master only) required.
• Durable Task Extension APIs: System key required.
• Extension-specific Webhook Calls: System key required.

Best Practices

• Avoid distributing shared secrets in public apps.
• Use caution when using the master key, as it provides administrative access.
• Consider other security mechanisms for public client access in production environments.