How do I create an Azure ServiceBus SaS Token with Publish Only Rights?












0















I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.



I can successfully create and use a token to subscribe and publish to Service Bus.
I don't see an option where I can limit the token to be able to only publish.



TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);


I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?










share|improve this question





























    0















    I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.



    I can successfully create and use a token to subscribe and publish to Service Bus.
    I don't see an option where I can limit the token to be able to only publish.



    TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
    var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);


    I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?










    share|improve this question



























      0












      0








      0








      I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.



      I can successfully create and use a token to subscribe and publish to Service Bus.
      I don't see an option where I can limit the token to be able to only publish.



      TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
      var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);


      I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?










      share|improve this question
















      I need to create a SaS token programmatically for a service bus with Microsoft.Azure.ServiceBus 3.X nuget package to work with a .NET standard library.



      I can successfully create and use a token to subscribe and publish to Service Bus.
      I don't see an option where I can limit the token to be able to only publish.



      TokenProvider td = SharedAccessSignatureTokenProvider.CreateSharedAccessSignatureTokenProvider(policyName, policyKey, expireTimeSpan);
      var token = await td.GetTokenAsync($"{path}{topic}", expireTimeSpan);


      I would like to limit the rights on this token to be able to only publish to the topic, but not subscribe. Is this possible and if so how can I do this?







      azure token servicebus






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 '18 at 11:48







      Kevin

















      asked Nov 20 '18 at 23:54









      KevinKevin

      4,814113949




      4,814113949
























          1 Answer
          1






          active

          oldest

          votes


















          1















          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.






          share|improve this answer


























          • Thanks my goal is to do this programmatically

            – Kevin
            Nov 21 '18 at 13:10






          • 1





            @Kevin I have updated the answer with demo code.

            – Tom Sun
            Nov 22 '18 at 5:37











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53403366%2fhow-do-i-create-an-azure-servicebus-sas-token-with-publish-only-rights%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1















          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.






          share|improve this answer


























          • Thanks my goal is to do this programmatically

            – Kevin
            Nov 21 '18 at 13:10






          • 1





            @Kevin I have updated the answer with demo code.

            – Tom Sun
            Nov 22 '18 at 5:37
















          1















          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.






          share|improve this answer


























          • Thanks my goal is to do this programmatically

            – Kevin
            Nov 21 '18 at 13:10






          • 1





            @Kevin I have updated the answer with demo code.

            – Tom Sun
            Nov 22 '18 at 5:37














          1












          1








          1








          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.






          share|improve this answer
















          Is this possible and if so how can I do this?




          If I understand correctly, you need to create a policy with [send] right. And then use the policyName and generated key to create the sas token.



          enter image description here



          The rights conferred by the policy rule can be a combination of:






          • 'Send' - Confers the right to send messages to the entity


          • 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling


          • 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities




          For more information, please refer to this document.



          Update:



          We could use the Microsoft.Azure.Management.ServiceBus.Fluent to create the policy.



          var authorizationRuleName = "xxx"; //policy name
          var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"D:TomDocumentsazureCred.txt");
          var restClient = RestClient.Configure().WithEnvironment(AzureEnvironment.AzureGlobalCloud)
          .WithCredentials(credentials)
          .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
          .Build();
          System.Threading.CancellationToken cancellationToken = new System.Threading.CancellationToken();
          ServiceBusManagementClient client = new ServiceBusManagementClient(restClient)
          {
          SubscriptionId = subscriptionId
          };
          List<AccessRights?> list = new List<AccessRights?> { AccessRights.Send};
          //create policy
          SharedAccessAuthorizationRuleInner result = client.Namespaces.CreateOrUpdateAuthorizationRuleAsync(resourceGroupName, nameSpace, authorizationRuleName, list, cancellationToken).Result;
          //get key
          var key = client.Namespaces.ListKeysAsync(resourceGroupName, nameSpace, authorizationRuleName).Result?.PrimaryKey;


          How to create the azureCred file, please refer to this document.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 22 '18 at 5:35

























          answered Nov 21 '18 at 1:16









          Tom SunTom Sun

          17.6k2923




          17.6k2923













          • Thanks my goal is to do this programmatically

            – Kevin
            Nov 21 '18 at 13:10






          • 1





            @Kevin I have updated the answer with demo code.

            – Tom Sun
            Nov 22 '18 at 5:37



















          • Thanks my goal is to do this programmatically

            – Kevin
            Nov 21 '18 at 13:10






          • 1





            @Kevin I have updated the answer with demo code.

            – Tom Sun
            Nov 22 '18 at 5:37

















          Thanks my goal is to do this programmatically

          – Kevin
          Nov 21 '18 at 13:10





          Thanks my goal is to do this programmatically

          – Kevin
          Nov 21 '18 at 13:10




          1




          1





          @Kevin I have updated the answer with demo code.

          – Tom Sun
          Nov 22 '18 at 5:37





          @Kevin I have updated the answer with demo code.

          – Tom Sun
          Nov 22 '18 at 5:37




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53403366%2fhow-do-i-create-an-azure-servicebus-sas-token-with-publish-only-rights%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Guess what letter conforming each word

          Port of Spain

          Run scheduled task as local user group (not BUILTIN)