Skip to content

Authentication & Authorization

Document every identity, permission, or secret that the IPAM Function App depends on. Update this file alongside any code change that adds or modifies auth requirements.

Identity

System-Assigned Managed Identity

The Function App uses a System-Assigned Managed Identity for authentication to Azure services. This identity is automatically created when the Function App is deployed and does not require manual credential management.

Benefits:

  • No secrets to manage or rotate
  • Automatic credential lifecycle management
  • Secure authentication to Azure services

Required Permissions

Storage Account

Role: Storage Table Data Contributor

Scope: Storage Account containing the networkCidr table

Required For:

  • Manager Function: Read/write operations for Sync, Reap, and Anchor
  • Vendor Function: Read/write operations for network allocation

How to Assign:

$functionAppIdentity = (Get-AzFunctionApp -ResourceGroupName $rgName -Name $functionAppName).Identity.PrincipalId
$storageAccountId = (Get-AzStorageAccount -ResourceGroupName $rgName -Name $storageAccountName).Id
New-AzRoleAssignment -ObjectId $functionAppIdentity -RoleDefinitionName 'Storage Table Data Contributor' -Scope $storageAccountId

Azure Resource Graph

Permission: Query access to target subscriptions

Required For:

  • Manager Function: Querying VNets across subscriptions for Sync operation

How to Configure:

  • The managed identity must have access to query Resource Graph for the subscriptions defined in SUPERNETS_CONFIG
  • This is typically granted via subscription-level permissions or Resource Graph query permissions

Note: The Function App uses Az.ResourceGraph module which handles authentication automatically via managed identity.

Modules & Dependencies

PowerShell Modules

Modules are baked into the Function App deployment package using Save-Module during build:

  • Az.Accounts (5.*): Required for Azure authentication
  • Az.ResourceGraph (1.*): Required for Manager function ARG queries

These modules are baked into the deployment package during build using Save-Module and are not installed at runtime.

Security Best Practices

  • No Secrets in Code: All authentication uses managed identity - no connection strings or API keys in code
  • Least Privilege: Function App identity only has permissions needed for its operations
  • Storage Connection: AzureWebJobsStorage connection string is managed by Azure Functions runtime
  • No Custom Tokens: No custom authentication tokens or API keys are used

Local Development

For local development, authentication works differently:

  • Azurite: No authentication required (local emulator)
  • Azure Resource Graph: Requires Connect-AzAccount before running Manager function locally
  • Table Storage: Uses connection string from local.settings.json (Azurite or Azure Storage)

See docs/LocalDevelopment.md for local setup details.