Using Azure Service Bus with restricted access

Azure Service Bus provides many ways to setup different access levels for all types of things like the bus itself, queues, topics or subscriptions. In this post some of the ways to configure the different access levels for a queue sender will be shown.

In this demo we want to allow only send access rights for a specific queue on the bus. This would be used by a third party application which should have no further access rights for any of the other services on the bus.

Code https://github.com/damienbod/AspNetCoreServiceBus

Posts in this Series:

Setup using Azure CLI

Azure CLI can be used to setup the Azure Service Bus.

Azure CLI docs and download links: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

When Azure CLI is installed and running, you need to Login.

 
az login

If the login does not work, you might have to allow your default browser to open the insecure redirect URL to complete the login. For example, when using Chrome, use the following to reset the hsts. Unsecure URLs are required for this Azure az login. Maybe this should be fixed.

 
chrome://net-internals/#hsts

Now that Azure CLI is running, and you are logged, you can create a new bus for your subscription. Create a new resource group before running and set as required.

Create the bus if needed:

az servicebus namespace create --resource-group damienbod-rg --name damienbod-service-bus --location eastus

Setup the queue and add a shared access policy.

az servicebus queue create --resource-group damienbod-rg --namespace damienbod-service-bus --name myqueue

az servicebus queue authorization-rule create --name myqueuepolicy --namespace-name damienbod-service-bus --queue-name myqueue --resource-group damienbod-rg --rights Send

This could also be setup using the Azure portal UI.

A new queue can be created by clicking the Queues menu in your bus and then Add:

A policy can be added directly to the queue with just the send rights.

Now a simple C# application can be implemented which sends messages to the queue.

Add the Microsoft.Azure.ServiceBus NuGet package to new console project:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp3.1</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.Azure.ServiceBus" Version="4.1.2" />
  </ItemGroup>

</Project>

Now add a simple queue sender client:

using Microsoft.Azure.ServiceBus;
using System.Text;
using System.Threading.Tasks;

namespace ReducedAccessRightsQueueSender
{
    class Program
    {
        private static string ConnectionStringQueueBus = "your connection string";
        public static void Main(string[] args) => MainAsync().GetAwaiter().GetResult();

        static async Task MainAsync()
        {
            var myQueueConnectionString = new ServiceBusConnectionStringBuilder(ConnectionStringQueueBus);
            var myQueue = new QueueClient(myQueueConnectionString);
            var queueMessage = new Message(Encoding.UTF8.GetBytes("some message from somewhere"));
            await myQueue.SendAsync(queueMessage);
        }
    }
}

To get the policy connection string with the reduced access rights, you can go to the Azure portal, open the Service Bus, open the queue from the Queues menu, click the shared access policy menu, Now open the policy you created above. The connection string for this policy can be copied and added to your C# client code.

The messages could be consumed for example in an Azure function. When using Azure functions to consume Azure Service Bus queue messages, the payload needs to be sent in the body.

In an Azure Functions project, a simple Service Bus Queue function can be created. This would consume the messages.

using System;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Host;
using Microsoft.Extensions.Logging;

namespace FunctionService3
{
    public static class MyQueueFunction
    {
        [FunctionName("MyQueueFunction")]
        public static void Run([ServiceBusTrigger("myqueue", Connection = "ServiceBusConnectionString")]string myQueueItem, ILogger log)
        {
            log.LogInformation($"C# ServiceBus queue trigger function processed message: {myQueueItem}");
        }
    }
}

When the connection strings are set correctly, the messages will be sent and consumed.

Service Bus Explorer

The Service Bus Explorer is a great tool for doing almost anything on your bus. For example, this could be used to manage dead letter messages.

Service Bus Explorer can be downloaded here:

https://github.com/paolosalvatori/ServiceBusExplorer/releases

To demonstrate this, some messages will be sent which cannot be processed and gets sent to the dead letter queue after 10 tries. This can be configured as required. To try this, you could throw an exception in the Azure function which consumes the queue message.

Now open the Service Bus Explorer, fix and resend the messages in the dead letter queue. This is one possible way of dealing with messages in the dead letter queue. This will only work as long as you don’t have too many messages. If you dealing with lots of messages in this dead letter queue, you would need to solve this is a differnet way, for example using code to analyse, fix and resend.

In the explorer UI, click the required queue, and then the Deadletter button and peek.

Now you can fix the messages if required, and resend it to your queue.

Links

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-tutorial-topics-subscriptions-cli

https://github.com/paolosalvatori/ServiceBusExplorer/

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

3 comments

  1. […] Using Azure Service Bus with restricted access (Damien Bowden) […]

  2. […] Using Azure Service Bus with restricted access – Damian Bowden […]

  3. […] execute destructive operations such as deleting queues. My friend Damien has a great article about restricted access with Azure Service Bus should you wish to dig […]

Leave a Reply to The Morning Brew - Chris Alcock » The Morning Brew #2948 Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: