Search code examples
azureservicebusazure-sas

SAS tokens for Azure Service Bus for IoT nodes


I am using Azure Service Bus to send data from C# clients, of which there would be many.

I would like to authenticate on a per client basis, so that any rouge client can be revoked at any time without affecting the others.

I can see there are SAS policies and from what I am reading this seems to be the way to go, but I cannot see where I would create a user - or is it a case of needing to create individual SAS policies, one per client?

If there are alternative solutions that give Topic/Queue access to the service bus I am open, ultimately I don't want to create thousands of AD users and would like to create credentials that can be assigned per client (or shared across a number of clinets from the same deployment).

From Microsoft documentation I have seen the following statement:

A namespace or entity policy can hold up to 12 Shared Access Authorization rules, providing room for three sets of rules, each covering the basic rights and the combination of Send and Listen. This limit underlines that the SAS policy store isn't intended to be a user or service account store. If your application needs to grant access to Service Bus based on user or service identities, it should implement a security token service that issues SAS tokens after an authentication and access check.

What would this entail and are there any examples on github etc for this?


Solution

  • SAS tokens and azure AD are the only two ways of authenticating azure service bus.

    In SAS we use the rule name and a cryptographic key (which is available in the portal) to generate tokens which can be passed to the service bus for authentication.

    The SAS token is a string which is created in specific format.

    SharedAccessSignature sig=<signature-string> & se=<expiry> & skn=<keyName> & sr=<URL-encoded-resourceURI>
    
    • se - Time when the token will expire.

    • skn - Name of the rule.

    • sr - URL of the resource being accessed.

    • sig - URL-encoded HMACSHA256 signature.

    Since you can create the sas tokens programmatically you can use same rule for multiple clients.

    Reference :

    Authentication in ServiceBus using SAS

    Functions used to generate sas tokens in multiple languages