Azure Service Bus managed identity in Visual Studio returning 401 - Token issuer is invalid

Question

I'm attempting to access Azure Service Bus using a managed identity from my code. At the moment I'm just trying this locally.

When I debug my code I get the following error

System.UnauthorizedAccessException: Put token failed. status-code: 401, status-description: InvalidIssuer: Token issuer is invalid

Here is my service bus instance

Here is my user with Azure Service Bus Data Owner permissions

And here is my code

_client = new ServiceBusClient("oconnorevents.servicebus.windows.net", new DefaultAzureCredential());

I am logged into Visual Studio as the same user added to the service bus. I also tried logging in via the CLI but it didn't help.

Where am I going wrong here?

I've looked at this similar recent question here but the solutions proposed didn't work for me.

score 8 · Answer 1 · answered Jan 19 '22 at 18:27

Since I have access to several different tenants, Visual Studio sometimes gets confused. Another way you can handle this is to continue to use the DefaultAzureCredential, but to give Visual Studio a hint about which tenant to use.
First left click the your project and examine the properties and then:

Left-click "Debug"
Left-click the "Add" button to add an environment variable
For name use "AZURE_TENANT_ID" and for value use your tenant id. Yes, that is a bogus tenant id in the picture :-)

Reference

score 6 · Accepted Answer · answered May 25 '21 at 06:39

If you use DefaultAzureCredential to auth, it will try several credential types to auth as mentioned here, one of them is VisualStudioCredential, but it will auth to the home AAD tenant of the user logged in VS, in your case, I suppose the service bus is in a subscription which is not under the home tenant of the user.

I can also reproduce your issue on my side.

To solve the issue, just use VisualStudioCredential directly, then simply specify the TenantId via VisualStudioCredentialOptions, then it will work fine.

Sample:

To find the TenantId, just navigate to the Azure Active Directory which the subscription of your service bus located.

TokenCredential tokenCredential = new VisualStudioCredential(new VisualStudioCredentialOptions {TenantId = "xxxxxxx" });
ServiceBusClient client = new ServiceBusClient("xxx.servicebus.windows.net", tokenCredential);

Thanks for that. It did work with the specifics but I don't see a reason why it wouldn't work generally. I only have 1 subscription where everything lives, including service bus. — Konzy262, May 25 '21 at 15:07

Anish · Answer 3 · 2022-02-13T11:33:56.477

6

Specify the exact tenant id by adding the following key to local.settings.json.

"AZURE_TENANT_ID": "your tenant id"

I tried to create an azure function that receives messages from a service bus queue using a managed identity trigger and it worked for me.

edited Feb 13 '22 at 11:33

answered Feb 13 '22 at 11:28

Anish

183
2
7

score 0 · Answer 4 · answered Jan 31 '23 at 20:17

late to the party but I got it working on my local Visual Studio with this code

var tokenCredential = new VisualStudioCredential(new VisualStudioCredentialOptions { TenantId = "xxx-xxx" });

ServiceBusClient client = new ServiceBusClient("my-name-space.servicebus.windows.net", tokenCredential);

sender = client.CreateSender('my-topic');

var msgBody = new Person{ Name = 'joe'};

await sender.SendMessageAsync(new ServiceBusMessage(JsonConvert.SerializeObject(msgBody)));

Also, remember to sign in to Azure in your Visual Studio, and assign your account to the role "Azure Service bus Data Sender" , see below:

Azure Service Bus managed identity in Visual Studio returning 401 - Token issuer is invalid

4 Answers4

Linked