Azure Service Bus Managed Service Identity (MSI) and Role-based access control (RBAC) (preview) released!

We are happy to announce the preview release of Managed Service Identity (MSI) and Role-based access control (RBAC) for Azure Service Bus. In this preview we show how to use the two features with Azure Service Bus.

Release notes:

For the initial public preview, you can only add AAD accounts and service principals to the "Owner" or "Contributor" roles of an Azure Service Bus namespace. The same for MSI, in which you can only add a managed service identity to the "Owner" or "Contributor" roles of an Azure Service Bus namespace.

In an upcoming update, Azure Service Bus will add explicit roles for "Sender" and "Receiver" that enable you to grant only send or receive permissions. The receive permission also provides read-only access to obtain information about the entity, and permission to control the message disposition, including moving it to the dead-letter queue.

In subsequent updates, it will also be possible to associate MSI or AAD accounts and service principals with roles at the level of individual entities, enabling fine grained access control. In addition to the predefined roles, you will be able to compose custom roles from the underlying Azure Service Bus permission set will also be enabled.

Regional availability:

The preview is only available in the following regions: US East, US East 2, West Europe.

Known issues:

There are two known issues in this preview which will be addressed with the next release:

Issue 1:

Steps:

  1. Create AAD App Credential.
  2. Do not assign any role.
  3. Create Service Bus client and start sending.
  4. This will fail - which is expected.
  5. Now assign contributor/owner role on Service Bus namespace for this App Credential.
  6. Sending on this Service Bus Client (active connection and cbs link) will still continue to fail.

 

This should recover after RBAC expiry. This is 20 minutes on production.

Issue 2:

Steps:

  1. Create AAD App Credential.
  2. Assign Contributor role and start sending (in a while loop) using Service Bus client.
  3. Now, delete the role assignment –
  4. This will not affect the current active It ran up to 30 minutes in our tests.

This should recover after token expiry. We don’t do an RBAC check on the existing link until the token expires.

Issue 3:

If your subscription already has a service bus namespace or event hubs namespace, the RBAC call might fail with an exception. In this case, re-register the following resource providers to make it work.

Resource providers

  • Microsoft.EventHub
  • Microsoft.ServiceBus

You can use Azure Portal, Power Shell, or CLI to register a provider. For more information, see /en-us/azure/azure-resource-manager/resource-manager-supported-services.

Issue 4:

If you are using RBAC and assign rights for your user and / or the AAD app, under your Event Hubs Namespace and there under Instance Access Management (IAM), you need to re-add yourself as owner even though you may have ownership rights inherited from your subscription.

Learn more:

The following articles also contain links to GitHub code samples for both RBAC and MSI.

To learn more about RBAC please follow this link. :

/en-us/azure/service-bus-messaging/service-bus-role-based-access-control

To learn more about MSI please follow this link:

/en-us/azure/service-bus-messaging/service-bus-managed-service-identity