NServicebus in App Service using Managed Identity for connect to Azure Service Bus

I am trying to configure my NServiceBus application to use Managed Identity. The application is running as an App Service and should be able to connect with my Azure Service Bus Queue using Managed Identity.

I have only found an example using Shared Access Key here, Azure Service Bus Transport • Particular Docs.

I have set the CustomTokenCredential on my Transport and tried to change the connection string to “Endpoint=sb://[NAMESPACE].servicebus.windows.net/;Authentication=ManagedIdentity”

When running I get an exception;
ArgumentException: The value ‘Endpoint=sb://[NAMESPACE].servicebus.windows.net/;Authentication=ManagedIdentity’ is not a well-formed Service Bus fully qualified namespace.

Any idea what is going wrong? It does work when I am using Shared Access Key. And we have also seen it working from an Azure Function to Azure Service Bus using Managed Identity.

It does not seem to get to the authentication part but fails already on the namespace.

What version of the transport are you using? Based on the version, the connection string would be different.

Endpoint=sb://[NAMESPACE].servicebus.windows.net/;Authentication=ManagedIdentity was a workaround for the ASB SDK track 1. Track 2, the latest ASB SDK/NServiceBus transport, the workaround was removed by the SDK team in favour of a more consistent approach, which only requires the fully qualified domain name (FQDN) for your namespace as a connection string. Try [MYNAMESPACE].servicebus.windows.net as your connection string with Managed Identity configured application/environment. Here’s an example of Azure Functions using MI and here’s the documentation for WebJobs, the guts of Functions.

PS: this was the blog post where the SDK team has shared all the options to configure Functions extensions using Secretless configuration. Same time of configuration is likely to be applicable to App Service as well.

TLDR - I’m looking for a concrete example of using NServiceBus.AzureFunctions.InProcess.ServiceBus 2.x with Managed Identities

Hi @SeanFeldman,

I have been trying to use Azure Functions with Azure Service Bus(1) to connect to an Azure Service Bus endpoint authenticated by Managed Identities.

Firstly, let me say that I really like the NServiceBus.AzureFunctions.InProcess.ServiceBus package - it’s made my life a lot easier in the last year!

We had a project using version 1.x and we used the connection string workaround by adding Authentication=ManagedIdentity, and that worked fine.

I now have another project and I’m using version 2.x (which removes even more code for me :slight_smile:) but I cannot connect to the Azure ServiceBus endpoint. As Per found above, that workaround no longer works around. I can also not get the accepted solution to work.

From my experiments, the ASB SDK only supports the new MI connection strings starting from 5.x (possibly around this commit(2)). The latest NServiceBus.AzureFunctions.InProcess.ServiceBus(3) depends on Microsoft.Azure.WebJobs.Extensions.ServiceBus(4) v4.3.0.

Do you have any example projects where the NServiceBus.AzureFunctions.InProcess.ServiceBus 2.x package is used to connect to an MI authenticated endpoint?

Here are some some example projects that I have tried.

Thanks!
Ben

I am only allowed 2 links, here are non-links

  1. Particular Docs nservicebus/hosting/azure-functions-service-bus
  2. GitHub azure-sdk-for-net commit 762a7b2c21d486bfa9853af07586a5621b689975
  3. NuGet package NServiceBus.AzureFunctions.InProcess.ServiceBus v2.0.2
  4. NuGet package Microsoft.Azure.WebJobs.Extensions.ServiceBus v4.3.0

Hi Ben!

You should be able to authenticate using Managed Identity by configuring your in-process function like this:

        builder.UseNServiceBus(() =>
        {
            var config = new ServiceBusTriggeredEndpointConfiguration("<your endpoint name>");

            var userAssignedClientId = "<your managed identity client Id>";
            var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId });

            config.Transport.ConnectionString("<your ASB namespace>.servicebus.windows.net");
            config.Transport.CustomTokenCredential(credential);

            return config;
        });

Let me know if that works?

See Configuration • Azure Service Bus Transport • Particular Docs for more details.

Hi Andreas,

Thanks for the reply, that was very helpful.

I found that to make the generated NServiceBusTriggerFunction work I had to keep the old “AzureWebJobsServiceBus” environment variable that included Authentication=ManagedIdentity.

That, in combination with the CustomTokenCredential you suggested made both the ServiceBus trigger and the injected IFunctionEndpoint work.

There’s a working example here.

Will the NServiceBus code be enhanced to cope with the new <connection_name>__fullyQualifiedNamespace configuration value at the same time it updates to Microsoft.Azure.WebJobs.Extensions.ServiceBus v5?

Thanks,
Ben

Glad you got it working.

Will the NServiceBus code be enhanced to cope with the new <connection_name>__fullyQualifiedNamespace configuration value at the same time it updates to Microsoft.Azure.WebJobs.Extensions.ServiceBus v5?

We’ll definitely make sure that works, I’ve raised https://github.com/Particular/NServiceBus.AzureFunctions.InProcess.ServiceBus/issues/390 to track that work.

Cheers,

Andreas