Azure function returns 403 error.

Ayush Shrivastava 60

I am calling my azure function from ASD and the function returns 403.

I have configured it to send 401 in case of unauthorised requests.

I want to use managed identity to trigger the function.

Here is my function code.

package
import
import
import
import
import
import
import
import
import
/**
 * Azure Functions with HTTP Trigger.
 */
public
 /**
 * This function listens at endpoint "/api/HttpExample". Two ways to invoke it using "curl" command in bash:
 * 1. curl -d "HTTP Body" {your host}/api/HttpExample
 * 2. curl "{your host}/api/HttpExample?name=HTTP%20Query"
 */
 @
public
 @
name
methods
authLevel
HttpRequestMessage
final
context
// Parse query parameter
final
final
if
return
 } 
String
 {
 "name" : "response"
 }
 """
context
return
 }
 }
}

Here is my query -

DECLARE

EXEC
@url
@method
@credential
@response
SELECT
@response

I think I need to give my Sql servers managed identity some permissions but I am not able to figure what permission it needs.

Ayush Shrivastava 60 Reputation points

2024-09-04T21:22:41.3366667+00:00
My code -

package com.security;

import com.microsoft.azure.functions.ExecutionContext; import com.microsoft.azure.functions.HttpMethod; import com.microsoft.azure.functions.HttpRequestMessage; import com.microsoft.azure.functions.HttpResponseMessage; import com.microsoft.azure.functions.HttpStatus; import com.microsoft.azure.functions.annotation.AuthorizationLevel; import com.microsoft.azure.functions.annotation.FunctionName; import com.microsoft.azure.functions.annotation.HttpTrigger; import java.util.Optional; /**

Azure Functions with HTTP Trigger. / public class Function { /*

This function listens at endpoint "/api/HttpExample". Two ways to invoke it using "curl" command in bash:

curl -d "HTTP Body" {your host}/api/HttpExample

curl "{your host}/api/HttpExample?name=HTTP%20Query" */ @FunctionName("HttpExample") public HttpResponseMessage run( @HttpTrigger( name = "req", methods = {HttpMethod.GET, HttpMethod.POST}, authLevel = AuthorizationLevel.ANONYMOUS) HttpRequestMessage<Optional<String>> request, final ExecutionContext context) { context.getLogger().info("Java HTTP trigger processed a request."); // Parse query parameter final String query = request.getQueryParameters().get("name"); final String name = request.getBody().orElse(query); if (name == null) { return request.createResponseBuilder(HttpStatus.BAD_REQUEST).body("Please pass a name on the query string or in the request body").build(); } else { String resp = """ { "name" : "response" } """; context.getLogger().info(request.toString()); return request.createResponseBuilder(HttpStatus.OK).body(resp).build(); } } } My query -

DECLARE @response AS NVARCHAR(MAX); EXEC sp_invoke_external_rest_endpoint @url = N'https://security-test-asd.azurewebsites.net/api/HttpExample?name=name', @method = 'GET', @credential = [https://security-test-asd.azurewebsites.net/api/HttpExample], @response = @response OUTPUT; SELECT @response
Nandan Hegde 32,026 Reputation points MVP

2024-09-05T03:11:07.6233333+00:00

Can you please specify what permission you have provided the Azure SQL server on the Azure function?
Ayush Shrivastava 60 Reputation points

2024-09-05T07:34:29.47+00:00

I have provided my SQL server's Identity(System assigned) role - Website Contributor and Contributor role.

2 answers

Nandan Hegde 32,026 Reputation points MVP

2024-09-05T03:35:13.74+00:00

For bare minimal testing, you can provide the Azure SQL server contributor role at the Azure function via RBAC and test out your execution.

Note : This is some higher privelege

You can follow the below link to create a custom role for least min privilege if need be :

https://stackoverflow.com/questions/63610514/which-permission-allows-triggering-of-an-azure-function
Please sign in to rate this answer.
Nandan Hegde 32,026 Reputation points MVP

2024-09-05T09:54:49.33+00:00

I have provided my SQL server contributor role at the Az function level and it is working as expected (note: the function is https trigger type)
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Ayush Shrivastava 60 Reputation points

2024-09-05T16:30:36.7+00:00

This is still not working. Can we do this over a quick call?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure function returns 403 error.

2 answers

Your answer