Trying to use Managed Identity with Azure Service Bus

Question

I've tried following this tutorial in order to authenticate my service bus against DefaultAzureCredentials, however, I get a 401.

I'm using the following code in the set-up:

services.AddAzureClients(x =>
{
    x.AddServiceBusClientWithNamespace("myns.servicebus.windows.net")
        .WithCredential(new Azure.Identity.DefaultAzureCredential());
});

I then call the SB client like this:

var sender = client.CreateSender("myqueue");
var message = new ServiceBusMessage(Encoding.UTF8.GetBytes("test"));

await sender.SendMessageAsync(message);

When I call SendMessageAsync I get a 401 error:

fail: Azure-Messaging-ServiceBus[82] An exception occurred while creating send link for Identifier: myqueue-578624f3-f732-4a9b-2ab0-9adc01949a5a. Error Message: 'System.UnauthorizedAccessException: Put token failed. status-code: 401, status-description: InvalidIssuer: Token issuer is invalid. TrackingId:cde3a89c-8108-48d1-8b8f-dacde18e176f, SystemTracker:NoSystemTracker, Timestamp:2021-05-19T07:18:44.

Before I run this, I call az login. I have access to the the namespace to both send and receive. My guess is that I need to allocate some kind of permission between the service bus and ... something - but since I'm running this as a console app, I'm running with my own credentials. Clearly there's something about managed identity that I don't understand.

EDIT:

Following advice from @juunas, I tried the following:

services.AddHostedService<ConsoleHostedService>();
services.AddAzureClients(x =>
{
    //var creds = new Azure.Identity.EnvironmentCredential(); // 1st - EnvironmentCredential authentication unavailable. Environment variables are not fully configured.'
    //var creds = new Azure.Identity.ManagedIdentityCredential(); // 2nd - No Managed Identity endpoint found
    //var creds = new Azure.Identity.SharedTokenCacheCredential(); // 3rd - 'SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.'
    //var creds = new Azure.Identity.VisualStudioCodeCredential(); // 4th - 'Stored credentials not found. Need to authenticate user in VSCode Azure Account.'
    //var creds = new Azure.Identity.AzureCliCredential(); // 5th
    var creds = new Azure.Identity.DefaultAzureCredential();
    
    x.AddServiceBusClientWithNamespace("myns.servicebus.windows.net")
        .WithCredential(creds);

Your code is failing when you run it in cloud or is it failing locally as well? — Gaurav Mantri, May 19 '21 at 07:35
Try to use specific credential and then check whether still get 401. — Cindy Pau, May 19 '21 at 07:47
Have you tried to assigned `Azure Service Bus Data Sender` to the MSI at the namespace level? — Jim Xu, May 19 '21 at 07:52

score 5 · Accepted Answer · answered May 19 '21 at 08:11

5

It says the "token issuer is invalid". That means it got an access token, but it was issued by the wrong Azure AD tenant. The Az CLI allows you to specify the Azure AD tenant id with the -t tenant-id-here argument on az login.

DefaultAzureCredential could also be using some other credential (it attempts multiple credentials like VisualStudioCredential before the AzureCliCredential). You could instead try to use AzureCliCredential directly and see if it works. That of course won't use Managed Identity so you'd need to use ChainedTokenCredential with the AZ CLI credential + ManagedIdentityCredential to support both.

answered May 19 '21 at 08:11

juunas

54,244
13
113
149

`AzureCliCredential` works - but I'm a little confused as to why. Also, if it is what I suspect, then my assumption was that `DefaultAzureCredential` did what you've described in ChainedTokenCredential ... ? – May 19 '21 at 17:39
It tries a bunch of credentials and my guess is one of the others before Azure CLI succeeds (VS / SharedTokenCache etc.), but then returns a token for the wrong tenant. – juunas May 20 '21 at 06:54
I tried every credential specifically in order (listed here https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet). I would have thought that one of them would give me the same error that I got from DefaultAzureCredential, but they didn't - I got a different error from each one (except Cli) – May 20 '21 at 07:16
Okay, that's weird.. What error did you get from them? – juunas May 20 '21 at 07:18
Have you tried `VisualStudioCredential`? That was missing from your list but is used by DefaultAzureCredential. You can see the created credentials in the source: https://github.com/Azure/azure-sdk-for-net/blob/748df71998927c7618f657cded2ed0648e24c9b3/sdk/identity/Azure.Identity/src/DefaultAzureCredential.cs#L191 – juunas May 20 '21 at 08:35
Yes - thankyou! That was it. It wasn't in the docs, but that was causing the issue. Thanks for all your help! – May 20 '21 at 16:31
Excellent :) With some of the credentials you can give options to define e.g. what tenant you want to use. DefaultAzureCredential accepts those options too. – juunas May 21 '21 at 05:47

Trying to use Managed Identity with Azure Service Bus

1 Answers1

Linked