Is security an issue when configuring & deploying an Azure Cosmos Change Feed Function App?

Question

Is security an issue when configuring & deploying an Azure Cosmos Change Feed Function App?

Siegfried Heintze 1,906

When I am creating a Cosmos Change Feed Function do I care about

Publicly visibility
Authorization Level (Function, Anonymous, Admin)

Thanks

Siegfried

Accepted answer

1 additional answer

Your answer

Answer 1

Ryan Hill 30,276 Microsoft Employee Moderator

Hi @Siegfried Heintze ,

Public availability and authorization is still relevant, but you are correct. When you bind your function to a Cosmos change feed trigger, your app doesn't have a URL endpoint and only will be invoked by how the trigger binding is configured. You can confirm this by going into the portal, clicking the function in the function app, and you will notice Get Function URL is greyed out.

Answer 2

Ryan Hill 30,276 Microsoft Employee Moderator

Hi @Siegfried Heintze

That's complete inherit to you and what you want out of your application, but I would advise reviewing Securing Azure Functions and determine which actions are best suited for your function app. If your function app isn't meant for public access, then I would at least look at Function level authorization wherein your endpoint can only be invoked when the URI has the supplied code/key.

Siegfried Heintze 1,906 Reputation points

2023-03-17T22:37:56.43+00:00

Yes but my understanding of a change feed is that it only talks to cosmos containers. Is this correct? If so, then the special admin key or function is useless. Correct? And the same for public access: change feeds don't respond to users: only changes in cosmos contains. Correct?
Ryan Hill 30,276 Reputation points Microsoft Employee Moderator

2023-03-20T19:35:34.81+00:00
The Cosmos DB Trigger is basically like connection string to your Cosmos instance. Only the function app can talk to your instance, but the invocation of the function can be:

Anonymous i.e. public

Function level, where it will be invoked when an appropriate (function or app) key is supplied.

So, what I mean by inherit to you and your app; let's say you have a web app. If you wanted only your web app to be able to invoke the function app, then you can set the authorization level to function, and have your web app supply the key in the HTTP request. On the flip side, let's say the data you were storing in Cosmos was for public consumption, the authorization level would anonymous.

Going back to your question, Change feed in Azure Cosmos DB does only apply to your Cosmos Db, but it's security is based on the application model where you use the provided SDK.
Siegfried Heintze 1,906 Reputation points

2023-03-21T13:30:10.3333333+00:00

Cosmos DB Trigger is basically like connection string to your Cosmos instance

Please elaborate on this. It sounds like you are saying a Cosmos DB Trigger can be invoked like a HTTP Trigger that has access to read/write my cosmos collection? Is this correct? How?
Ryan Hill 30,276 Reputation points Microsoft Employee Moderator

2023-03-23T23:27:09.1866667+00:00

My apologies for that, my response above was not correct. I think I was getting ahead of myself. I did create a separate answer.

Share via

Is security an issue when configuring & deploying an Azure Cosmos Change Feed Function App?

1 additional answer

Your answer