Comments (17)
@minghuaw
I was able to get a token using the DefaultAzureCredentail
(CLI) by changing the scope to (removing .default):
const DEFAULT_SCOPE: &str = "https://eventhubs.azure.net/";
This seems to be documented here: https://learn.microsoft.com/en-us/azure/event-hubs/authenticate-application
However, I am a bit confused because the scope you originally used also seems to be used often if you search for it on GitHub.
from azeventhubs.
I think I figured out why it didn't work. https://github.com/Azure/azure-sdk-for-rust/blob/c0d938c7ae0f5fef878956617ff73245e94026a9/sdk/identity/src/token_credentials/client_secret_credentials.rs#L144 azure_identity
is appending ".default"
internally.
from azeventhubs.
@jackgerrits The problem with azure_identity
credentials has been fixed (tested on an azure VM and added a new example). I have released version "0.14.0" on crates.io.
from azeventhubs.
Thank you!
from azeventhubs.
It looks like the default credential is working well now, thank you! (I replied to that in the other issue)
from azeventhubs.
I will probably change the version number to follow that of azure_core
starting with this fix
from azeventhubs.
@jackgerrits I have something (not published on crates.io yet) that already works with AzureNamedKeyCredential
and technically should work with managed identity from azure_identity
crate. However, I've run a quick test on an azure VM which simply tries to get the managed identity and try to get token (see below), and somehow it just fails to get any credential.
// rust
use azure_identity::DefaultAzureCredential;
use azure_core::auth::TokenCredential;
const DEFAULT_SCOPE: &str = "https://eventhubs.azure.net/.default";
#[tokio::main]
async fn main() {
println!("Hello, world!");
let credential = DefaultAzureCredential::default();
let token = credential.get_token(DEFAULT_SCOPE).await.unwrap();
}
Then I tried the same thing but with dotnet sdk (the code snippet can be found below), and everything just works fine.
// dotnet
using Azure.Core;
using Azure.Identity;
var credential = new DefaultAzureCredential();
var context = new TokenRequestContext(new[] {"https://eventhubs.azure.net/.default"});
var accessToken = credential.GetToken(context);
String accessTokenString = accessToken.Token.ToString();
Console.WriteLine(accessTokenString);
This could very likely be my fault as I am not super familiar with managed identity on azure, but I wonder if there's bug with azure_identity
.
from azeventhubs.
I will make a preview release on crates.io so that you can give it a try
from azeventhubs.
Hi @jackgerrits I have made a preview release ("0.14.0-alpha") on crates.io. I want to make sure that EventHubTokenCredential
works properly with azure managed identity before making it "0.14.0"
from azeventhubs.
There seems to be a long queue on docs.rs. I will just list some example showcasing how to work with credentials in this preview release.
- Working with
AzureNamedKeyCredential
orAzureSasCredential
// You can turn `AzureNamedKeyCredential` or `AzureSasCredential` into
// `EventHubTokenCredential` and then use
// `EventHubConnection::from_namespace_and_credential`
let named_key_credential = AzureNamedKeyCredential::new(key_name, key);
// `AzureSasCredential` doesn't need the signature authorization resource
let resource = build_connection_signature_authorization_resource(transport_type, &fully_qualified_namespace, &event_hub_name).unwrap();
let shared_access_credential = SharedAccessCredential::try_from_named_key_credential(credential, resource).unwrap();
let connection = EventHubConnection::from_namespace_and_credential(
fully_qualified_namespace,
event_hub_name,
shared_access_credential,
EventHubConnectionOptions::default(),
).await.unwrap();
// Or you can use the convenience function
let named_key_credential = AzureNamedKeyCredential::new(key_name, key);
let connection = EventHubConnection::from_namespace_and_named_key_credential(
fully_qualified_namespace,
event_hub_name,
named_key_credential,
options,
).await.unwrap();
- Working with other credential types that implements
azure_core::TokenCredential
(ie. credential types provided inazure_identity
)
// `azure_identity::DefaultAzureCredential` implements `azure_core::TokenCredential`
let credential = azure_identity::DefaultAzureCredential::default();
let connection = EventHubConnection::from_namespace_and_credential(
fully_qualified_namespace,
event_hub_name,
credential,
EventHubConnectionOptions::default(),
).await.unwrap();
from azeventhubs.
Thanks! I will try it out.
from azeventhubs.
Thanks for the information. That indeed worked. But the original DEFAULT_SCOPE
was taken from the dotnet SDK, and it's kinda hard coded into the dotnet sdk for eventhubs. I will do some more research
from azeventhubs.
It seems like "https://eventhubs.azure.net/"
is used in the legacy Event Hubs SDK (https://github.com/Azure/azure-sdk-for-net/blob/fbd50bd3d03e6483a85b3f75ed194ded4c29a1e5/sdk/eventhub/Microsoft.Azure.EventHubs/src/Primitives/ManagedIdentityTokenProvider.cs#L39)
from azeventhubs.
It looks like the resource is https://eventhubs.azure.net/
and the scope would be https://eventhubs.azure.net/.default
. (see here, however resource is audience here?)
Looking at the insides of the identity module for CLI credentials it is passing the parameter that is passed through to --resource
parameter of az cli. See here
This would indicate that the resource and not scope should be used.
$ az account get-access-token --help
Command
az account get-access-token : Get a token for utilities to access Azure.
The token will be valid for at least 5 minutes with the maximum at 60 minutes. If the
subscription argument isn't specified, the current account is used.
Arguments
--name --subscription -n -s : Name or ID of subscription.
--resource : Azure resource endpoints in AAD v1.0.
--resource-type : Type of well-known resource. Allowed values: aad-graph, arm,
batch, data-lake, media, ms-graph, oss-rdbms.
--scope : Space-separated AAD scopes in AAD v2.0. Default to Azure Resource
Manager.
--tenant -t : Tenant ID for which the token is acquired. Only available for user
and service principal account, not for MSI or Cloud Shell account.
It seems like it is using AAD 1.0, and hence the reason why the .default
needs to be omitted. This matches up with this:
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-v1-app-scopes
from azeventhubs.
Ah that makes sense, great!
from azeventhubs.
I will leave this issue open for now. Feel free to close it if the new version works as expected for you :)
from azeventhubs.
Hi @jackgerrits , I opened another issue #13 which discusses whether methods like EventHubConnection::from_connection_string()
should be changed to EventHubConnection::try_from_connection_string()
(or something else), and I was wondering if you could provide some input on this?
from azeventhubs.
Related Issues (20)
- `EventPosition::SequenceNumber` seems to still start from the beginning HOT 2
- Change versioning to follow that of `azure_core`
- Rename `azeventhubs` constructor methods to reflect that a `Result` is returned HOT 4
- Breaking Changes for "0.15.0"
- Remove generic parameter `C` from `EventStream` HOT 1
- `RecoverAndReceiveError` is not exposed HOT 1
- Change error type of `EventStream` to `azure_core::Error` HOT 1
- Change visibility of the inner value of `MaxRetries` to `pub(crate)` to enforce construction via `TryFrom` HOT 1
- Hide private types from generic parameters of `EventStream` (eg. `AmqpConsumer`) HOT 1
- `TryAddError` is not exposed HOT 1
- Upcoming breaking update in dependencies `fe2o3-amqp`
- Add CI
- Open completely new link if the link is closed by remote HOT 2
- Checkpoint store support
- Cannot create either producer or consumer client with azure_identity `DefaultCredential` HOT 3
- `EventPosition` cloned from initial consumer options should not be modified during recovery
- Do not attempt link recovery if link is stolen
- Plans for 0.18
- Storing and reusing a single `EventHubConnection` HOT 21
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azeventhubs.