Modify Azure Service Bus Health Check to no require a connection string with management rights

See original GitHub issue

What would you like to be added:

I noticed that in order for the health check calls AddAzureServiceBusSubscription() and AddAzureServiceBusTopic() to work properly, we need to submit a connection string with management rights. I think it would be preferable if that was not required and if the health check could still be done even if the connection string only had listen or send rights.

Why is this needed: Requiring management rights goes against the principles of least privileges I think and it forces me to decide between the convenience of using the library at the risk of giving more access that I want to my app versus only giving it the access it needs but having to write custom health check for the service bus.

Possible Solutions: For a connection string with listen policy, you could peek on the service bus and see if that works:

private async Task<Message> PeekServiceBusMessage(string connectionString)
        {
            var connectionStringBuilder = new ServiceBusConnectionStringBuilder(connectionString);
            IMessageReceiver receiver = new MessageReceiver(connectionStringBuilder);
            return await receiver.PeekAsync();
        }

For a send policy, it could be simply sending a dummy message:

try
            {
                await using (var client = new ServiceBusClient(ServiceBusConnectionString))
                {
                    ServiceBusSender sender = client.CreateSender(topic);
                    await sender.SendMessageAsync(new object());
                }
            }
            catch(Exception e)
            {
                //do something
            }

There might be more effective solutions, those are just some propositions off the top of my head.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:8
  • Comments:19

github_iconTop GitHub Comments

14reactions
romek-bcommented, Jul 23, 2021

This is important. An application should not include a connection string with permissions to delete a queue when it need just to listen/send and check health.

2reactions
vitaly-pavlukcommented, Sep 23, 2022

Seems this issue is miss-addressed. Need to contact Microsoft so they can handle that on their side in the Service Bus. The only workaround I found - was the creation of the managed identity with a fine-grained permission set and use it.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Service Bus access control with Shared Access Signatures
Overview of Service Bus access control using Shared Access Signatures overview, details about SAS authorization with Azure Service Bus.
Read more >
Troubleshooting guide for Azure Service Bus
This article provides troubleshooting tips and recommendations for a few issues that you may see when using Azure Service Bus.
Read more >
Azure Service Bus trigger for Azure Functions
Use the Service Bus trigger to respond to messages from a Service Bus queue or topic. Starting with extension version 3.1.0, you can...
Read more >
Best practices for improving performance using Azure ...
Describes how to use Service Bus to optimize performance when exchanging brokered messages.
Read more >
Quickstart - Use Azure Service Bus queues from .NET app
This quickstart shows you how to send messages to and receive messages from Azure Service Bus queues using the .NET programming language.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found