From the Microsoft documentation, I see that SAS can be scoped to only Azure Service Bus Namespaces, Queues, Topics and not Subscriptions. I have a use case where I want the consumers of one subscription to not be able to access other subscriptions. If Azure Service bus currently doesn't support it, how do I implement this?
2
votes
2 Answers
0
votes
I believe this is possible and the same is mentioned in the documentation as well.
While generating the signature, you would just need to use the resource URI for the subscription like this
https://<yournamespace>.servicebus.windows.net/myTopic/Subscriptions/mySubscription
You can check the scopes for the different rights required for service bus operations in the docs.
Here is a .NET Framework Sample for reference. (Thanks @Roberto!)
0
votes
If using managed identity is an option for you, then Azure RBAC does support fine-grained access. Please check the docs in here. Example:
az role assignment create \
--role $service_bus_role \
--assignee $assignee_id \
--scope /subscriptions/$subscription_id/resourceGroups/$resource_group/providers/Microsoft.ServiceBus/namespaces/$service_bus_namespace/topics/$service_bus_topic/subscriptions/$service_bus_subscription
