I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.
I can successfully create and use a token to subscribe and publish to Service Bus. I don't see an option where I can limit the token to be able to only publish.
TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);
I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?
Is this possible and if so how can I do this?
If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.
The rights conferred by the policy rule can be a combination of:
- 'Send' - Confers the right to send messages to the entity
- 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling
- 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities
For more information, please refer to this document.
Update:
We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.
var authorizationRuleName = "xxx"; //policy name
var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:\Tom\Documents\azureCred.txt");
var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
.WithCredentials(credentials)
.WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
.Build();
System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
{
SubscriptionId = subscriptionId
};
List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
//create policy
SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
//get key
var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;
How to create the azureCred file, please refer to this document.