CustomProvider CreateManagedServiceIdentityTokenProvider

JKeet · March 11, 2020, 11:47am

Dear,

We don’t want to use credentials in the connectionstring any more so we are looking in to use a custom token provider. In the endpointConfiguration I add a CustomTokenProvider:

var tokenProvider = TokenProvider.CreateManagedServiceIdentityTokenProvider();
endpointConfiguration.Transport.CustomTokenProvider(tokenProvider);

I added the application identity to bij service bus credentials.

But i get the following error:
[11/03/2020 11:40:45] A host error has occurred during startup operation ‘GUID’.
[11/03/2020 11:40:45] Microsoft.Azure.ServiceBus: Value cannot be null.
[11/03/2020 11:40:45] Parameter name: ServiceBusConnection doesn’t have a valid token provider.

Is there something that i miss? Or is there more documentation how to use the CustomTokenProvider?

Thank you in advance

John

SeanFeldman · March 11, 2020, 6:47pm

Hi John,

What’s the connection string you’re providing the transport with?
Please mask sensitive information.

JKeet · March 12, 2020, 7:40am

Hallo Sean,

Endpoint=sb://----.-----.servicebus.windows.net/

Thank you for your reply

SeanFeldman · March 12, 2020, 8:24am

There are different token providers. Without specifying via connection string which one do you want to use, the underlying SDK will attempt to use SAS token.

It should be Endpoint=sb://----.-----.servicebus.windows.net/;Authentication=Managed Identity.

JKeet · March 12, 2020, 11:08am

Now i’m getting
Value cannot be null.
Parameter name: provider

JKeet · March 12, 2020, 1:01pm

Ok, but then this is not the security what i’m looking for. I want to use the management identity in azure so we don’t have to use any token in the connections strings.

using Microsoft.Azure.ServiceBus.Primitives

transport.CustomTokenProvider(TokenProvider.CreateManagedServiceIdentityTokenProvider());

Will not work then.

SeanFeldman · March 12, 2020, 4:07pm

UPDATE: see more detailed reply here.

I might have not been clear on this.

You do not need any SAS tokens, keys, or anything else. Your connection string indicates what namespace you’re using and specifying that the authentication to use is Managed Identity. The token provider still needs to be registered and that’s TokenProvider.CreateManagedServiceIdentityTokenProvider(). With those two it works.

How do you validate it doesn’t work? Where do you run it?

markgould · March 12, 2020, 4:25pm

I use it like this and it works great:

transport.CustomTokenProvider(TokenProvider.CreateManagedIdentityTokenProvider());

Connection string: Endpoint=sb://*****.servicebus.windows.net/

I also have a reference to Microsoft.Azure.Services.AppAuthentication

SeanFeldman · March 12, 2020, 6:55pm

Let me clarify.

There’s no need to include the reference to Microsoft.Azure.Services.AppAuthentication. It’s a dependency for Azure Service Bus SDK/client which is transitively brought into your project when the ASB transport is used.

The combination of the connection string (w/o key and token) and a specified TokenProvider should work.

The connection string with the Authentication=Managed Identity part is necessary when the application is compiled to work with the ASB transport that is configured using connection string only and the code cannot be updated and redeployed (ServiceControl for example).

To sum it up, there are two options:

Use connection string and specify the authentication option in the connection string.
Provide the connection string with the namespace FQDN and in the code register a token provider.

Hope that clarifies this.

JSCProjects · May 27, 2020, 11:56am

@markgould did you manage to get this working?

I’m using the following code

        var transportExtensions = endpointConfiguration.UseTransport<AzureServiceBusTransport>();

        var miTokenProvider = TokenProvider.CreateManagedIdentityTokenProvider();
        transportExtensions.CustomTokenProvider(miTokenProvider);

        transportExtensions.ConnectionString("Endpoint=sb://NAMESPACENAME.servicebus.windows.net/;Authentication=Managed Identity");

but I’m still getting the following exception.

Microsoft.Azure.ServiceBus.UnauthorizedException
  HResult=0x80131500
  Message=InvalidIssuer: Token issuer is invalid. TrackingId:bed8b480-82a5-4669-9dd7-1b36798dbf4c, SystemTracker:NoSystemTracker, Timestamp:2020-05-27T11:51:51
  Source=Microsoft.Azure.ServiceBus
  StackTrace:
   at Microsoft.Azure.ServiceBus.Management.ManagementClient.<SendHttpRequest>d__50.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.ServiceBus.Management.ManagementClient.<PutEntity>d__48.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.ServiceBus.Management.ManagementClient.<CreateTopicAsync>d__28.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NServiceBus.Transport.AzureServiceBus.QueueCreator.<CreateQueueIfNecessary>d__10.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at NServiceBus.HostingComponent.<RunInstallers>d__6.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NServiceBus.ExternallyManagedContainerHost.<Start>d__9.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NServiceBus.Extensions.Hosting.NServiceBusHostedService.<StartAsync>d__1.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>d__9.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.<RunAsync>d__4.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()

JKeet · May 27, 2020, 12:29pm

Hello,

I had the issue that i wasn’t using the correct account of azure subscription.

If you are using Visual Studio be aware that you got your correct azure account.
See: Tools–>Options–>Azure Service Authentication.

If that is not working, try Azure CLI with az login.

Kind regarts,

John

JSCProjects · May 27, 2020, 12:47pm

I’ve tried them all, nothing is working for me. What kind of role did you assign to your user in Azure Service Bus?

markgould · May 27, 2020, 1:47pm

I gave my managed identity the Azure Service Bus Data Owner role. At the time I believe that was necessary. What role do you have assigned right now?

JSCProjects · May 27, 2020, 1:51pm

Just found out that guest users doesn’t work.
If I make an normal then it works, but this isn’t
what I want in development In production it
will work because were using Managed Identity
of the resource instead of an user