'Is it possible to use Hybrid Identity with MassTransit and Azure.Identity?

The newest versions of MassTransit started using Azure.Identity package as a replacement for Microsoft.Azure.SericeBus.

I use Hybrid Identity to authenticate on premise service with the Azure Service Bus. It works well with TokenProvider.CreateManagedIdentityTokenProvider in Microsoft.Azure.SericeBus. However, after the switch to Azure.Identity package neither DefaultAzureCredential nor ManagedIdentityCredential work. I get an error saying that "Service request failed: 401 (Unathorized). Manage,EntityRead required for this operation".

I suspect that the new Azure.Identity package only works with Azure hosted apps and not with my on prem hosted service. But since it worked fine with the old package I am trying to figure out if I can make it work.

Any ideas if it is possible to use Hybrid Identity for accessing ASB from on prem service with recent MassTransit package >7.3.0?

azuremasstransit


Solution 1:[1]

I'm the author the of the original MassTransit change that brought the Service Bus SDK to v7.

There are differences in the underlying auth libraries.

TokenProvider.CreateManagedIdentityTokenProvider uses the AzureServiceTokenProvider under the hood. There's two possible paths when setting up the underlying token providers:

  1. If AzureServicesAuthConnectionString is set as an environment variable, it will be used to configure the auth settings.
  2. Else, there's a prioritized list of non-interactive providers (Msi, VS, Azure CLI, WindowsAuth (when using the full framework))

If AzureServicesAuthConnectionString environment variable is not set, DefaultAzureCredential appears to be nearly identical for the underlying token providers. If it is set, it may be a difference in the parsing of the environment variable. The DefaultAzureCredential uses an EnvironmentCredential as a credential, but it expects separate variables for tenant ID, client ID, etc (see docs for specifics).

Unfortunately, I'm not familiar with Hybrid Identity so these comments are solely based on my understanding of the Azure libraries.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions