Secure Azure Functions with Managed Identities

Question

Pulumi · Accepted Answer

Managed identities in Azure are a feature that allows you to authenticate to services that support Azure Active Directory (Azure AD) authentication, without needing to include credentials in your code. Azure Functions can leverage managed identities to securely access other Azure services.

Using managed identities for Azure resources involves two types of identities:

- **System-assigned managed identity**: This identity is automatically created by Azure for the Azure resource, and it is tied to the lifecycle of this resource. When the resource is deleted, Azure also cleans up the identity.
- **User-assigned managed identity**: This is a standalone Azure resource that you create and manage. It can be assigned to one or more Azure resources, and it outlives the resources it's assigned to.

To secure an Azure Function with a managed identity, you would first need to enable a managed identity for the Azure Function and then configure the Azure resources you want the Function to access to accept authentication from this identity. Below is an outline of the steps we'll perform in the Pulumi program:

1. Create an Azure Function App.
2. Enable a system-assigned managed identity for the Function App.
3. Assign the necessary permissions to the managed identity for the Azure resources it needs to access.

Let's look at a Pulumi program that accomplishes these steps.

```python
import pulumi
import pulumi_azure_native as azure_native

# Create a Resource Group
resource_group = azure_native.resources.ResourceGroup('rg')

# Create a Storage Account required by the Function App
storage_account = azure_native.storage.StorageAccount('sa',
    resource_group_name=resource_group.name,
    kind="StorageV2",
    sku=azure_native.storage.SkuArgs(
        name="Standard_LRS"
    ))

# Create a Service Plan for our Azure Function
service_plan = azure_native.web.AppServicePlan('asp',
    resource_group_name=resource_group.name,
    sku=azure_native.web.SkuDescriptionArgs(
        name='Y1',
        tier='Dynamic'
    ),
    kind="FunctionApp")

# Create the Azure Function App with a system-assigned managed identity
function_app = azure_native.web.WebApp('functionApp',
    resource_group_name=resource_group.name,
    kind="FunctionApp",
    server_farm_id=service_plan.id,
    site_config=azure_native.web.SiteConfigArgs(
        app_settings=[
            azure_native.web.NameValuePairArgs(
                name="AzureWebJobsStorage",
                value=pulumi.Output.concat("DefaultEndpointsProtocol=https;AccountName=", storage_account.name, ";AccountKey=", storage_account.primary_access_key)
            ),
            azure_native.web.NameValuePairArgs(
                name="FUNCTIONS_EXTENSION_VERSION",
                value="~3"
            ),
            azure_native.web.NameValuePairArgs(
                name="WEBSITE_NODE_DEFAULT_VERSION",
                value="~10"
            ),
        ]
    ),
    identity=azure_native.web.ManagedServiceIdentityArgs(
        type="SystemAssigned"
    ))

# Use the managed identity to assign roles or access to other Azure resources as needed

# Export the Function App name and the principal ID of its managed identity
pulumi.export('function_app_name', function_app.name)
pulumi.export('managed_identity_principal_id', function_app.identity.apply(lambda identity: identity.principal_id if identity else None))
```

In this program, we've created an Azure Function App with a system-assigned managed identity. The `identity` argument is used to enable the managed identity when creating the `WebApp` resource, which represents the Function App. We then export the name of the Function App and the principal ID of its managed identity, which can be used to grant permissions to other Azure services.

Make sure you have the appropriate permissions to create these resources within your Azure subscription and have correctly set up your Pulumi environment to authenticate to Azure.

Remember, after the deployment, you will have to configure the resources you want the managed identity to access with appropriate roles and permissions that allow the Function App to perform actions on them. This is generally done in Azure using Role-Based Access Control (RBAC). The `principal_id` exported by the above program is what you would use to grant these roles.

This code assumes you have the Pulumi CLI installed and configured to communicate with your Azure subscription. Save this code into a file named `__main__.py` in a Pulumi project, and then execute `pulumi up` to deploy these resources to Azure.