When I am creating a Cosmos Change Feed Function do I care about Publicly visibility Authorization Level (Function, Anonymous, Admin) Thanks Siegfried

Hi @Siegfried Heintze , Public availability and authorization is still relevant, but you are correct. When you bind your function to a Cosmos change feed trigger, your app doesn't have a URL endpoint and only will be invoked by how the trigger binding is configured. You can confirm this by going into the portal, clicking the function in the function app, and you will notice Get Function URL is greyed out.

Hi @Siegfried Heintze That's complete inherit to you and what you want out of your application, but I would advise reviewing Securing Azure Functions and determine which actions are best suited for your function app. If your function app isn't meant for public access, then I would at least look at Function level authorization wherein your endpoint can only be invoked when the URI has the supplied code/key.

Is security an issue when configuring & deploying an Azure Cosmos Change Feed Function App?

Siegfried Heintze 1,861

When I am creating a Cosmos Change Feed Function do I care about

Publicly visibility
Authorization Level (Function, Anonymous, Admin)

Thanks

Siegfried

Accepted answer

Ryan Hill 25,666 Reputation points Microsoft Employee

2023-03-23T23:44:43.8+00:00

Hi @Siegfried Heintze ,

Public availability and authorization is still relevant, but you are correct. When you bind your function to a Cosmos change feed trigger, your app doesn't have a URL endpoint and only will be invoked by how the trigger binding is configured. You can confirm this by going into the portal, clicking the function in the function app, and you will notice Get Function URL is greyed out.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

1 additional answer

Ryan Hill 25,666 Reputation points Microsoft Employee

2023-03-17T22:22:18.6866667+00:00

Hi @Siegfried Heintze

That's complete inherit to you and what you want out of your application, but I would advise reviewing Securing Azure Functions and determine which actions are best suited for your function app. If your function app isn't meant for public access, then I would at least look at Function level authorization wherein your endpoint can only be invoked when the URI has the supplied code/key.
Please sign in to rate this answer.
Siegfried Heintze 1,861 Reputation points

2023-03-17T22:37:56.43+00:00

Yes but my understanding of a change feed is that it only talks to cosmos containers. Is this correct? If so, then the special admin key or function is useless. Correct? And the same for public access: change feeds don't respond to users: only changes in cosmos contains. Correct?

Ryan Hill 25,666 Reputation points Microsoft Employee

2023-03-20T19:35:34.81+00:00

The Cosmos DB Trigger is basically like connection string to your Cosmos instance. Only the function app can talk to your instance, but the invocation of the function can be:

Anonymous i.e. public

Function level, where it will be invoked when an appropriate (function or app) key is supplied.

So, what I mean by inherit to you and your app; let's say you have a web app. If you wanted only your web app to be able to invoke the function app, then you can set the authorization level to function, and have your web app supply the key in the HTTP request. On the flip side, let's say the data you were storing in Cosmos was for public consumption, the authorization level would anonymous.

Going back to your question, Change feed in Azure Cosmos DB does only apply to your Cosmos Db, but it's security is based on the application model where you use the provided SDK.

Siegfried Heintze 1,861 Reputation points

2023-03-21T13:30:10.3333333+00:00

Cosmos DB Trigger is basically like connection string to your Cosmos instance

Please elaborate on this. It sounds like you are saying a Cosmos DB Trigger can be invoked like a HTTP Trigger that has access to read/write my cosmos collection? Is this correct? How?

Ryan Hill 25,666 Reputation points Microsoft Employee

2023-03-23T23:27:09.1866667+00:00

My apologies for that, my response above was not correct. I think I was getting ahead of myself. I did create a separate answer.
Sign in to comment