3

EDIT This question was written in 2016 so it may not be relevant anymore

I've just created a simple Function App with one function that should be triggered when a new message is added to the queue (in-portal function)

I've used the "ServiceBusQueueTrigger - C#" template to create my function so the code looks like that:

using System;
using System.Threading.Tasks;

public static void Run(string myQueueItem, TraceWriter log)
{
    log.Verbose($"C# ServiceBus queue trigger function processed message: {myQueueItem}");
}

From the Azure Portal, I've got this error:

Microsoft.ServiceBus: The remote server returned an error: (401) Unauthorized. Manage claim is required for this operation. TrackingId:6e27fe40-f667-4230-9995-d09f2ac67f35_G17,TimeStamp:4/18/2016 10:17:41 PM. System: The remote server returned an error: (401) Unauthorized.

Azure Function Error - (401) Unauthorized - Manage claim is required for this operation.

At the beginning, I've set up my connection string with a shared access policy that only allows to listen to the queue and changed it to a Manage claim but I still have this error.

To fix this, I had to set up the connection with the RootManageSharedAccessKey that give a full access to the service bus namespace

Is it the normal/desired behavior ? Will it be possible in the future to set up connection strings with different shared access policy ?

Thomas
  • 24,234
  • 6
  • 81
  • 125

3 Answers3

3

The default AccessRights used if not specified is AccessRights.Manage. You can override this using the advanced portal editor, specifying a more restricted AccessRights value:

{
  "bindings": [
    {
      "type": "serviceBusTrigger",
      "direction": "in",
      "accessRights": "listen",
      "queueName": "samples-input"
    }
  ]
}

We need to expose this value via first class portal UI as well to make it easier to configure.

mathewc
  • 13,312
  • 2
  • 45
  • 53
  • Matthew, what is the purpose of the `accessRights` setting ? using a webjob we don't need to specify any thing like that to configure the servicebus trigger. – Thomas Apr 19 '16 at 01:54
  • 1
    Yes, this also exists in the core SDK. `ServiceBusAttribute` has an `AccessRights` property that can be configured. this setting is just mapping to that. We added that in the last release WebJobs SDK release, because people wanted the ability to use connection strings with limited access. Previously we always assumed we had `Manage` and we would attempt operations that would fail. – mathewc Apr 19 '16 at 01:56
  • Thank, I'll have a look ^^ I've noticed that this is only working using a connection string that target the servicebus namespace globally. If I specify a connection string that target only a specific queue, it fails. Is it something that is going to change in the future ? – Thomas Apr 19 '16 at 02:08
1

Declare you triggered function this way, with a custom AccessRights value:

    public async Task MyFunction([ServiceBusTrigger(MyQueueName, Microsoft.ServiceBus.Messaging.AccessRights.Listen)] Message message, TextWriter log)
barbara.post
  • 1,581
  • 16
  • 27
0

My solution was somewhat simpler, I had taken the approach of using an app.config file with a connectionString to my ServiceBus stored in the setting: 

<add name="AzureWebJobsServiceBus" value="e.t.c."/>

And I had put the wrong value in the service bus value. It wasn't immediately obvious where to find this stuff, as Azure has moved things around a bit since I last looked. For guidance you go to the namespace of the Service Bus (search for Service Bus, then select your namespace) and then choose Shared Access Policies. In there you should find your shared access key and you can copy this service bus value into your app config (with due care and attention to source code security for your actual production keys....) My shared key was set up for Manage Send Listen, I'd just copied it down wrong...

The Senator
  • 5,181
  • 2
  • 34
  • 49