Search code examples
azuretokenservicebus

How do I create an Azure ServiceBus SaS Token with Publish Only Rights?

I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.

I can successfully create and use a token to subscribe and publish to Service Bus. I don't see an option where I can limit the token to be able to only publish.

TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);

I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?

Solution

  • Is this possible and if so how can I do this?

    If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.

    enter image description here

    The rights conferred by the policy rule can be a combination of:

    • 'Send' - Confers the right to send messages to the entity
    • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling
    • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities

    For more information, please refer to this document.

    Update:

    We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy. 

    var authorizationRuleName = "xxx"; //policy name
var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:\Tom\Documents\azureCred.txt");
var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
                .WithCredentials(credentials)
                .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
                .Build();
System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
            {
                SubscriptionId = subscriptionId
            };
List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
//create policy
SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
//get key
var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;

    How to create the azureCred file, please refer to this document.