We don’t want to use credentials in the connectionstring any more so we are looking in to use a custom token provider. In the endpointConfiguration I add a CustomTokenProvider:
var tokenProvider = TokenProvider.CreateManagedServiceIdentityTokenProvider();
endpointConfiguration.Transport.CustomTokenProvider(tokenProvider);
I added the application identity to bij service bus credentials.
But i get the following error:
[11/03/2020 11:40:45] A host error has occurred during startup operation ‘GUID’.
[11/03/2020 11:40:45] Microsoft.Azure.ServiceBus: Value cannot be null.
[11/03/2020 11:40:45] Parameter name: ServiceBusConnection doesn’t have a valid token provider.
Is there something that i miss? Or is there more documentation how to use the CustomTokenProvider?
There are different token providers. Without specifying via connection string which one do you want to use, the underlying SDK will attempt to use SAS token.
It should be Endpoint=sb://----.-----.servicebus.windows.net/;Authentication=Managed Identity.
Ok, but then this is not the security what i’m looking for. I want to use the management identity in azure so we don’t have to use any token in the connections strings.
You do not need any SAS tokens, keys, or anything else. Your connection string indicates what namespace you’re using and specifying that the authentication to use is Managed Identity. The token provider still needs to be registered and that’s TokenProvider.CreateManagedServiceIdentityTokenProvider(). With those two it works.
How do you validate it doesn’t work? Where do you run it?
There’s no need to include the reference to Microsoft.Azure.Services.AppAuthentication. It’s a dependency for Azure Service Bus SDK/client which is transitively brought into your project when the ASB transport is used.
The combination of the connection string (w/o key and token) and a specified TokenProvider should work.
The connection string with the Authentication=Managed Identity part is necessary when the application is compiled to work with the ASB transport that is configured using connection string only and the code cannot be updated and redeployed (ServiceControl for example).
To sum it up, there are two options:
Use connection string and specify the authentication option in the connection string.
Provide the connection string with the namespace FQDN and in the code register a token provider.
var transportExtensions = endpointConfiguration.UseTransport<AzureServiceBusTransport>();
var miTokenProvider = TokenProvider.CreateManagedIdentityTokenProvider();
transportExtensions.CustomTokenProvider(miTokenProvider);
transportExtensions.ConnectionString("Endpoint=sb://NAMESPACENAME.servicebus.windows.net/;Authentication=Managed Identity");
but I’m still getting the following exception.
Microsoft.Azure.ServiceBus.UnauthorizedException
HResult=0x80131500
Message=InvalidIssuer: Token issuer is invalid. TrackingId:bed8b480-82a5-4669-9dd7-1b36798dbf4c, SystemTracker:NoSystemTracker, Timestamp:2020-05-27T11:51:51
Source=Microsoft.Azure.ServiceBus
StackTrace:
at Microsoft.Azure.ServiceBus.Management.ManagementClient.<SendHttpRequest>d__50.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.ServiceBus.Management.ManagementClient.<PutEntity>d__48.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.ServiceBus.Management.ManagementClient.<CreateTopicAsync>d__28.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NServiceBus.Transport.AzureServiceBus.QueueCreator.<CreateQueueIfNecessary>d__10.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at NServiceBus.HostingComponent.<RunInstallers>d__6.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NServiceBus.ExternallyManagedContainerHost.<Start>d__9.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NServiceBus.Extensions.Hosting.NServiceBusHostedService.<StartAsync>d__1.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>d__9.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.<RunAsync>d__4.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
Just found out that guest users doesn’t work.
If I make an normal then it works, but this isn’t
what I want in development In production it
will work because were using Managed Identity
of the resource instead of an user