使用 RBAC 连接到 Azure 服务总线停止工作
Connect to Azure Service Bus using RBAC stopped working
我正在使用托管身份连接到 Azure 服务总线,它过去工作正常。
今天早上,我意识到这种方法在本地(使用 Visual Studio)和部署的应用程序(使用托管身份)上不再有效。
我有一个自定义令牌提供程序class:
public class AzureServicebusManagedIdentityTokenProvider : TokenProvider
{
private const string Resource = "https://servicebus.azure.net/";
protected readonly string TenantId;
public AzureServicebusManagedIdentityTokenProvider(string tenantId = null)
{
TenantId = string.IsNullOrWhiteSpace(tenantId) ? null : tenantId;
}
public override async Task<SecurityToken> GetTokenAsync(string appliesTo, TimeSpan timeout)
{
string accessToken = await GetAccessToken(Resource);
return new JsonSecurityToken(accessToken, appliesTo);
}
private async Task<string> GetAccessToken(string resource)
{
var authProvider = new AzureServiceTokenProvider();
return await authProvider.GetAccessTokenAsync(resource, TenantId);
}
}
然后例如发送消息:
var sbMessageSender = new MessageSender(new ServiceBusConnection("<my connectionstring>")
{
TransportType = TransportType.Amqp,
TokenProvider = new AzureServicebusManagedIdentityTokenProvider("<my tenant id>")
}, "my queue name", RetryPolicy.Default);
var json = JsonConvert.SerializeObject(<message to send>);
var message = new Message(Encoding.UTF8.GetBytes(json));
await sbMessageSender.SendAsync(message);
抛出此错误:
Put token failed. status-code: 401, status-description: InvalidIssuer: Token issuer is invalid. TrackingId:5c6c17c7-7a9e-49f3-adf7-5dbfb35b3daf, SystemTracker:NoSystemTracker, Timestamp:2019-10-29T08:56:17.
我已检查我是否拥有 'Azure Service Bus Data Owner' 角色,并且 visual studio 中的 'Azure App authentication' 工具已设置为适当的帐户。
我正在使用这些 nuget 包:
Microsoft.Azure.Services.AppAuthentication v1.3.1Microsoft.Azure.ServiceBus v3.4.0
不确定我是否在做一些愚蠢的事情(因为它曾经有效)但任何帮助将不胜感激。
这似乎是 Azure 中的一个问题。根据我的支持票上的回复:
...this issue was caused by the latest service update where there was a syncing issue on the backend subscription ID info for the namespace. This only happens when a namespace is updated. Since RBAC authentication relies on constructing ARM resourceID using the stored subscription ID you saw authentication issues. The issue is now resolved and it should not re-occur.
我正在使用托管身份连接到 Azure 服务总线,它过去工作正常。
今天早上,我意识到这种方法在本地(使用 Visual Studio)和部署的应用程序(使用托管身份)上不再有效。
我有一个自定义令牌提供程序class:
public class AzureServicebusManagedIdentityTokenProvider : TokenProvider
{
private const string Resource = "https://servicebus.azure.net/";
protected readonly string TenantId;
public AzureServicebusManagedIdentityTokenProvider(string tenantId = null)
{
TenantId = string.IsNullOrWhiteSpace(tenantId) ? null : tenantId;
}
public override async Task<SecurityToken> GetTokenAsync(string appliesTo, TimeSpan timeout)
{
string accessToken = await GetAccessToken(Resource);
return new JsonSecurityToken(accessToken, appliesTo);
}
private async Task<string> GetAccessToken(string resource)
{
var authProvider = new AzureServiceTokenProvider();
return await authProvider.GetAccessTokenAsync(resource, TenantId);
}
}
然后例如发送消息:
var sbMessageSender = new MessageSender(new ServiceBusConnection("<my connectionstring>")
{
TransportType = TransportType.Amqp,
TokenProvider = new AzureServicebusManagedIdentityTokenProvider("<my tenant id>")
}, "my queue name", RetryPolicy.Default);
var json = JsonConvert.SerializeObject(<message to send>);
var message = new Message(Encoding.UTF8.GetBytes(json));
await sbMessageSender.SendAsync(message);
抛出此错误:
Put token failed. status-code: 401, status-description: InvalidIssuer: Token issuer is invalid. TrackingId:5c6c17c7-7a9e-49f3-adf7-5dbfb35b3daf, SystemTracker:NoSystemTracker, Timestamp:2019-10-29T08:56:17.
我已检查我是否拥有 'Azure Service Bus Data Owner' 角色,并且 visual studio 中的 'Azure App authentication' 工具已设置为适当的帐户。
我正在使用这些 nuget 包:
Microsoft.Azure.Services.AppAuthenticationv1.3.1Microsoft.Azure.ServiceBusv3.4.0
不确定我是否在做一些愚蠢的事情(因为它曾经有效)但任何帮助将不胜感激。
这似乎是 Azure 中的一个问题。根据我的支持票上的回复:
...this issue was caused by the latest service update where there was a syncing issue on the backend subscription ID info for the namespace. This only happens when a namespace is updated. Since RBAC authentication relies on constructing ARM resourceID using the stored subscription ID you saw authentication issues. The issue is now resolved and it should not re-occur.