I am trying to configure my NServiceBus application to use Managed Identity. The application is running as an App Service and should be able to connect with my Azure Service Bus Queue using Managed Identity.
I have set the CustomTokenCredential on my Transport and tried to change the connection string to “Endpoint=sb://[NAMESPACE].servicebus.windows.net/;Authentication=ManagedIdentity”
When running I get an exception;
ArgumentException: The value ‘Endpoint=sb://[NAMESPACE].servicebus.windows.net/;Authentication=ManagedIdentity’ is not a well-formed Service Bus fully qualified namespace.
Any idea what is going wrong? It does work when I am using Shared Access Key. And we have also seen it working from an Azure Function to Azure Service Bus using Managed Identity.
It does not seem to get to the authentication part but fails already on the namespace.
What version of the transport are you using? Based on the version, the connection string would be different.
Endpoint=sb://[NAMESPACE].servicebus.windows.net/;Authentication=ManagedIdentity was a workaround for the ASB SDK track 1. Track 2, the latest ASB SDK/NServiceBus transport, the workaround was removed by the SDK team in favour of a more consistent approach, which only requires the fully qualified domain name (FQDN) for your namespace as a connection string. Try [MYNAMESPACE].servicebus.windows.net as your connection string with Managed Identity configured application/environment. Here’s an example of Azure Functions using MI and here’s the documentation for WebJobs, the guts of Functions.
PS: this was the blog post where the SDK team has shared all the options to configure Functions extensions using Secretless configuration. Same time of configuration is likely to be applicable to App Service as well.
I have been trying to use Azure Functions with Azure Service Bus(1) to connect to an Azure Service Bus endpoint authenticated by Managed Identities.
Firstly, let me say that I really like the NServiceBus.AzureFunctions.InProcess.ServiceBus package - it’s made my life a lot easier in the last year!
We had a project using version 1.x and we used the connection string workaround by adding Authentication=ManagedIdentity, and that worked fine.
I now have another project and I’m using version 2.x (which removes even more code for me ) but I cannot connect to the Azure ServiceBus endpoint. As Per found above, that workaround no longer works around. I can also not get the accepted solution to work.
From my experiments, the ASB SDK only supports the new MI connection strings starting from 5.x (possibly around this commit(2)). The latest NServiceBus.AzureFunctions.InProcess.ServiceBus(3) depends on Microsoft.Azure.WebJobs.Extensions.ServiceBus(4) v4.3.0.
Do you have any example projects where the NServiceBus.AzureFunctions.InProcess.ServiceBus 2.x package is used to connect to an MI authenticated endpoint?
I found that to make the generated NServiceBusTriggerFunction work I had to keep the old “AzureWebJobsServiceBus” environment variable that included Authentication=ManagedIdentity.
That, in combination with the CustomTokenCredential you suggested made both the ServiceBus trigger and the injected IFunctionEndpoint work.
Will the NServiceBus code be enhanced to cope with the new <connection_name>__fullyQualifiedNamespace configuration value at the same time it updates to Microsoft.Azure.WebJobs.Extensions.ServiceBus v5?
Will the NServiceBus code be enhanced to cope with the new <connection_name>__fullyQualifiedNamespace configuration value at the same time it updates to Microsoft.Azure.WebJobs.Extensions.ServiceBus v5?
) but I cannot connect to the Azure ServiceBus endpoint. As Per found above, that workaround no longer works around. I can also not get the accepted solution to work.