3
votes

Azure Service Bus supports managed identity access, however the only method I've found to for example send a message to a queue is using this approach that requires code and the Service Bus SDK:

var tokenProvider = TokenProvider.CreateManagedServiceIdentityTokenProvider();
QueueClient sendClient = new QueueClient($"sb://{Config.Namespace}.servicebus.windows.net/", Config.Queue, tokenProvider);
await sendClient.SendAsync(new Message(Encoding.UTF8.GetBytes(messageInfo.MessageToSend)));
await sendClient.CloseAsync();

Sources: https://github.com/Azure-Samples/app-service-msi-servicebus-dotnet https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-managed-service-identity

I'm looking for a way to do the same thing with a REST API call from within an Azure API Management policy. I've granted APIM, role based access to Service Bus and I'm able to get a token back, but I get this error back from Service Bus when attempting the REST API call with the managed identity token passed in the Authorization header:

MalformedToken: The credentials contained in the WRAP header are not well-formed.

It looks like Service Bus might only support WRAP or SAS tokens at this point with their REST API: https://docs.microsoft.com/en-us/rest/api/servicebus/send-message-batch

But then again how is this working behind the scenes?

TokenProvider.CreateManagedServiceIdentityTokenProvider()

Seems like it should be possible with the REST API.

1
Seems like it assigns the token to the Authorization header, seems pretty standard :\juunas
Hmm, but it could be that they don't specify it as Authorization: Bearer tokenabcdef..... but as Authorization: tokenabcdef.juunas
@juunas I couldn't find any documentation on this unfortunately. I tried using the <authentication-managed-identity resource="servicebus.azure.net" /> APIM policy. It uses the "Bearer {token}" format, but SB doesn't like it.Joey Eng
@juunas You were right! It works with just the token value. No prefix. I wonder why this isn't documented. If you add that as an answer I'll give you credit.Joey Eng

1 Answers

0
votes

It seems in the SDK they don't specify it as Authorization: Bearer tokenabcdef..... but as Authorization: tokenabcdef. Which is a bit unusual.