0

I'm using Python 3.8 and azure-servicebus v0.50.3. I would like to generate a read-only SAS token for each topic i create. I have figured out so far I can create the topics like so ...

sbs = ServiceBusService(service_namespace,
                        shared_access_key_name=key_name,
                        shared_access_key_value=key_value)
...

sbs.create_topic(name)

However, I'm unclear how (or if it's even possible) to use the existing API to generate a SAS token for each topic I create. The documentation online seems to imply this isn't possible but thought I'd ask anyway.

Dave
  • 15,639
  • 133
  • 442
  • 830

1 Answers1

0

Good news and bad news. While there are certainly ways to generate SAS tokens per topic, I don't believe you'll be able to so with the API you're using. ServiceBusService via control_client is basically our "double-legacy" SDK and is both very dated and effectively deprecated.

That said, I would point you at our current azure-mgmt-servicebus package. With it you can create topics in a similar fashion, but more important to your purposes you can create an authorization rule (you'd likely want to give it only Listener rights) and then access the topic's keys to programmatically utilize them if needed.

To be honest, I wasn't sure if you were referring to SAS keys colloquially as tokens (Frankly I flip the naming constantly) so to cover all my bases, I'll also detail below how you'd turn the key into a transient token, but if you don't need this, you can skip the next paragraph.

While there isn't an official built-in utility to generate SAS tokens from a SAS key, in the hope that this is a workable approach, let me provide some breadcrumbs to what this would look like here. (This demonstrates using a SAS Key to generate and then authenticate our up-coming-GA-version with a SAS Token, you'd take as much or as little of this as you need, but the key for your purposes would be generate_sas_token)

Don't hesitate to shout if any clarity is needed or if I've misunderstood your issue, I'd also mention our github if you run into any problems in the future. (full disclaimer, am a maintainer for this sdk)

Kibrantn
  • 609
  • 3
  • 4
  • Thanks for this! I'm happy to transition away from the deprecated SDK, just have a couple of questions about that. Previously, ServiceBusService required a namespace, shared access key name, and shared access key value. In your code example here -- https://gist.github.com/KieranBrantnerMagee/b20c24ab916d4b7b6e992f5d9db258da, I'm not where clear where of if I'm still using that information or if I need to grab or generate other info from the Azure portal. Does shared access key name and value still apply in the new (non-deprecated) SDK? – Dave Oct 04 '20 at 17:18
  • So, my example ONLY shows how to generate SAS tokens from SAS keys and then using them for the data-plane client. To your point about replacing the deprecated API, unfortunately azure-mgmt-servicebus and the other ARM libraries do not support SAS, only azure-identiy credentials. Our data plane library (azure-servicebus) will still allow SAS but the ARM side (azure-mgmt-servicebus) is trying to make azure-identity the happy path, see [here](https://learn.microsoft.com/en-us/python/api/azure-mgmt-servicebus/azure.mgmt.servicebus.servicebusmanagementclient?view=azure-python) for docs. – Kibrantn Oct 05 '20 at 17:39
  • Quick clarification on terminology, if we use azure-identity instead of SAS, what's the right term to use to describe creating listen-only authentication when creating a service bus topic? If we're not using SAS tokens, what are we using? – Dave Oct 05 '20 at 18:39
  • Aha, I may be able to clarify the confusion. 1. azure-identity is instead of SAS for using the `azure-mgmt-servicebus` library, which is for creating topics, creating topic SAS keys, etc. As the name implies, "management" functions. 2. for the `azure-servicebus` library, the code you use for actually sending/receiving messages with the topic, you can use listen only SAS keys (or SAS tokens derived from those keys) to authenticate. – Kibrantn Oct 06 '20 at 19:30
  • What's the difference between the way you create the service client (ServiceBusClient) in your code sample -- https://gist.github.com/KieranBrantnerMagee/b20c24ab916d4b7b6e992f5d9db258da and the doc you reference -- https://learn.microsoft.com/en-us/python/api/overview/azure/servicebus?view=azure-python#create-topic? Are these just two different ways of getting to the same thing? – Dave Oct 06 '20 at 20:43
  • Apologize for interruption here but I am also a bit confused between legacy SDK and updated one. Not sure if this link [https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/servicebus/azure-servicebus/samples] is applicable for updated SDK but this is as far as i can get. – liamsuma Oct 07 '20 at 15:39
  • Hey Dave; I must apologize for misleading you slightly, the create_topic link should have pointed under [this client](https://docs.microsoft.com/en-us/python/api/overview/azure/servicebus/management?view=azure-python), the overview is legacy. To try and address both comments confusion, there are a few clients: 1. `azure-servicebus:0.5*`, the docs Dave linked. This library sends and receives messages and has limited management functions 2. `azure-mgmt-servicebus` is the dedicated mgmt lib, e.g. topic creation 3. `azure-servicebus:7.0` the upcoming GA release for messaging, your link liam – Kibrantn Oct 07 '20 at 22:10
  • Ok, thanks. I think I stumbled upon the right data before you posted the link so all is well. However I am struggling with how to find the number of topics per namespace if you have know off the top of your head -- https://stackoverflow.com/questions/64285330/in-the-azure-functions-python-sdk-how-do-i-get-the-number-of-topics-for-a-given – Dave Oct 09 '20 at 18:20
  • Hey Dave, I notice a kind soul has chimed in there but I'll echo their accurate response here as well for progeny; that the [list_by_namespace](https://learn.microsoft.com/en-us/python/api/azure-mgmt-servicebus/azure.mgmt.servicebus.operations.topicsoperations?view=azure-python#list-by-namespace-resource-group-name--namespace-name--skip-none--top-none--custom-headers-none--raw-false----operation-config-) function will likely do what you want. – Kibrantn Oct 12 '20 at 17:28