Authentication with Azure AD against Azure Service Bus

[Centzilius]

Hi,
could you please consider implementing an alternative authentication method for Azure Service Bus that is not SAS.
I'd like to use Azure Managed Identites to authenticate to reduce keeping secrets on my machine.

A way to implement this would probably look similar to this:
https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/servicebus/azure-servicebus/samples/sync_samples/client_identity_authentication.py (Replacing EnvironmentCredential with either DefaultAzureCredential or ManagedIdentityCredential from the python package azure.identity).

The problem with this would probably be, how to identify that you want to authenticate with something else than a SAS but that could maybe be handled by providing specific dummy usernames in the connection string?

What do you think?

[open-collective-bot]

Hey @Centzilius 👋,
Thank you for opening an issue. We will get back to you as soon as we can.
Also, check out our Open Collective and consider backing us - every little helps!

We also offer priority support for our sponsors.
If you require immediate assistance please consider sponsoring us.

[gabloe]

Any update on this feature request?

[auvipy]

no. contributions are welcome

[marnikow]

Hi

PR #1641 solved this issue I think.

I don't know if I should open a new issue, but I noticed an inconsistency in the mentioned PR. The new documentation states to use one of these formats:

• azureservicebus://DefaultAzureIdentity@SERVICE_BUSNAMESPACE
• azureservicebus://ManagedIdentityCredential@SERVICE_BUSNAMESPACE

While the code checks for one of these formats:

• azureservicebus://DefaultAzureCredential@SERVICE_BUSNAMESPACE
• azureservicebus://ManagedIdentityCredential@SERVICE_BUSNAMESPACE

(DefaultAzureIdentity vs DefaultAzureCredential)

[marnikow]

It seems there is also another error in the code. When using DefaultAzureCredential azureservicebus.py as_uri function tries iterate over DefaultAzureCredential.

[2023-09-21 15:52:33,161: CRITICAL/MainProcess] Unrecoverable error: TypeError("argument of type 'DefaultAzureCredential' is not iterable") Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/celery/worker/worker.py", line 202, in start self.blueprint.start(self) File "/usr/local/lib/python3.8/dist-packages/celery/bootsteps.py", line 112, in start self.on_start() File "/usr/local/lib/python3.8/dist-packages/celery/apps/worker.py", line 135, in on_start self.emit_banner() File "/usr/local/lib/python3.8/dist-packages/celery/apps/worker.py", line 169, in emit_banner ' \n', self.startup_info(artlines=not use_image))), File "/usr/local/lib/python3.8/dist-packages/celery/apps/worker.py", line 230, in startup_info conninfo=self.app.connection().as_uri(), File "/usr/local/lib/python3.8/dist-packages/kombu/connection.py", line 715, in as_uri return self.transport.as_uri( File "/usr/local/lib/python3.8/dist-packages/kombu/transport/azureservicebus.py", line 478, in as_uri if ":" in credential: TypeError: argument of type 'DefaultAzureCredential' is not iterable

[auvipy]

thanks for the report and new fix

[ainscore]

One more issue with this. The documentation suggests the following url formats:

azureservicebus://SAS_POLICY_NAME:SAS_KEY@SERVICE_BUSNAMESPACE
azureservicebus://DefaultAzureCredential@SERVICE_BUSNAMESPACE
azureservicebus://ManagedIdentityCredential@SERVICE_BUSNAMESPACE

However, only the SAS auth allows you to use only the namespace, the other auth types require the full endpoint name, as implemented in this code:

kombu/kombu/transport/azureservicebus.py

Lines 144 to 154 in 9f4fd68

	if (isinstance(self._credential, DefaultAzureCredential) or
	isinstance(self._credential, ManagedIdentityCredential)):
	return None
	if ":" in self._credential:
	self._policy, self._sas_key = self._credential.split(':', 1)
	# Convert
	endpoint = 'sb://' + self._namespace
	if not endpoint.endswith('.net'):
	endpoint += '.servicebus.windows.net'

I assume we'd want them to all operate the same way...