How do I create an Azure ServiceBus SaS Token with Publish Only Rights?











up vote
0
down vote

favorite












I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.



I can successfully create and use a token to subscribe and publish to Service Bus.
I don't see an option where I can limit the token to be able to only publish.



TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);


I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?










share|improve this question




























    up vote
    0
    down vote

    favorite












    I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.



    I can successfully create and use a token to subscribe and publish to Service Bus.
    I don't see an option where I can limit the token to be able to only publish.



    TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
    var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);


    I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?










    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.



      I can successfully create and use a token to subscribe and publish to Service Bus.
      I don't see an option where I can limit the token to be able to only publish.



      TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
      var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);


      I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?










      share|improve this question















      I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.



      I can successfully create and use a token to subscribe and publish to Service Bus.
      I don't see an option where I can limit the token to be able to only publish.



      TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
      var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);


      I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?







      azure token servicebus






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 days ago

























      asked Nov 20 at 23:54









      Kevin

      4,762113949




      4,762113949
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote














          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.






          share|improve this answer























          • Thanks my goal is to do this programmatically
            – Kevin
            2 days ago






          • 1




            @Kevin I have updated the answer with demo code.
            – Tom Sun
            yesterday











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53403366%2fhow-do-i-create-an-azure-servicebus-sas-token-with-publish-only-rights%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote














          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.






          share|improve this answer























          • Thanks my goal is to do this programmatically
            – Kevin
            2 days ago






          • 1




            @Kevin I have updated the answer with demo code.
            – Tom Sun
            yesterday















          up vote
          1
          down vote














          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.






          share|improve this answer























          • Thanks my goal is to do this programmatically
            – Kevin
            2 days ago






          • 1




            @Kevin I have updated the answer with demo code.
            – Tom Sun
            yesterday













          up vote
          1
          down vote










          up vote
          1
          down vote










          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.






          share|improve this answer















          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited yesterday

























          answered Nov 21 at 1:16









          Tom Sun

          15.8k2821




          15.8k2821












          • Thanks my goal is to do this programmatically
            – Kevin
            2 days ago






          • 1




            @Kevin I have updated the answer with demo code.
            – Tom Sun
            yesterday


















          • Thanks my goal is to do this programmatically
            – Kevin
            2 days ago






          • 1




            @Kevin I have updated the answer with demo code.
            – Tom Sun
            yesterday
















          Thanks my goal is to do this programmatically
          – Kevin
          2 days ago




          Thanks my goal is to do this programmatically
          – Kevin
          2 days ago




          1




          1




          @Kevin I have updated the answer with demo code.
          – Tom Sun
          yesterday




          @Kevin I have updated the answer with demo code.
          – Tom Sun
          yesterday


















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53403366%2fhow-do-i-create-an-azure-servicebus-sas-token-with-publish-only-rights%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Berounka

          Sphinx de Gizeh

          Different font size/position of beamer's navigation symbols template's content depending on regular/plain...