MatiasK
Reputation: 756
How do I use MSI to access a Service Bus from a VMSS in Azure
My console application is running on a VM in an Azure Scale Set but is not able to connect to an Azure Service Bus using the VMSS Managed Service Identity.
An exception is thrown when it attempts to acquire an access token via TokenProvider.CreateManagedServiceIdentityTokenProvider().
- The Identity (System Assigned) is enabled on the Virtual Machine Scale Set (VMSS ).
- The VMSS Identity is assigned the Role Azure Service Bus Data Owner on the Service Bus Namespace
Is there a step or requirement that I am missing?
Sample code
var sbEndpoint = "sb://mysbnamespace.servicebus.windows.net/";
var sbQueueName = "myqueue";
var tokenProvider = TokenProvider.CreateManagedServiceIdentityTokenProvider();
var sendClient = new QueueClient( sbEndpoint, sbQueueName, tokenProvider );
await sendClient.SendAsync( new Message( Encoding.UTF8.GetBytes( "abc 123" )));
Exception
Parameters: Connectionstring: [No connection string specified], Resource: https://servicebus.azure.net/, Authority: .
Exception Message: Tried the following 4 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://servicebus.azure.net/, Authority: .
Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://servicebus.azure.net/, Authority: .
Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "C:\Users\makr\AppData\Local\.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connectionstring: [No connection string specified], Resource: https://servicebus.azure.net/, Authority: .
Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. ERROR: Please run 'az login' to setup account.
Parameters: Connectionstring: [No connection string specified], Resource: https://servicebus.azure.net/, Authority: https://login.microsoftonline.com/common.
Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. get_user_name_failed: Failed to get user name
Inner Exception : No mapping between account names and security IDs was done
at Microsoft.Azure.ServiceBus.Core.MessageSender.<OnSendAsync>d__52.MoveNext() in C:\source\azure-service-bus-dotnet\src\Microsoft.Azure.ServiceBus\Core\MessageSender.cs:line 567
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.ServiceBus.RetryPolicy.<RunOperation>d__19.MoveNext() in C:\source\azure-service-bus-dotnet\src\Microsoft.Azure.ServiceBus\RetryPolicy.cs:line 82
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Azure.ServiceBus.RetryPolicy.<RunOperation>d__19.MoveNext() in C:\source\azure-service-bus-dotnet\src\Microsoft.Azure.ServiceBus\RetryPolicy.cs:line 107
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.ServiceBus.Core.MessageSender.<SendAsync>d__39.MoveNext() in C:\source\azure-service-bus-dotnet\src\Microsoft.Azure.ServiceBus\Core\MessageSender.cs:line 266
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at AzureServiceBusManagedSystemIdentity.Program.<TestSbMsi>d__10.MoveNext()
======================================================
package.config (with nugets that made the MSI auth work)
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Microsoft.Azure.Amqp" version="2.4.2" targetFramework="net472" />
<package id="Microsoft.Azure.ServiceBus" version="3.4.0" targetFramework="net472" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="4.5.1" targetFramework="net472" />
<package id="Microsoft.IdentityModel.JsonWebTokens" version="5.4.0" targetFramework="net472" />
<package id="Microsoft.IdentityModel.Logging" version="5.4.0" targetFramework="net472" />
<package id="Microsoft.IdentityModel.Tokens" version="5.4.0" targetFramework="net472" />
<package id="Newtonsoft.Json" version="12.0.2" targetFramework="net472" />
<package id="System.Diagnostics.DiagnosticSource" version="4.5.1" targetFramework="net472" />
<package id="System.IdentityModel.Tokens.Jwt" version="5.4.0" targetFramework="net472" />
<package id="System.IO" version="4.3.0" targetFramework="net472" />
<package id="System.Net.WebSockets" version="4.3.0" targetFramework="net472" />
<package id="System.Net.WebSockets.Client" version="4.3.2" targetFramework="net472" />
<package id="System.Runtime" version="4.3.1" targetFramework="net472" />
<package id="System.Runtime.Serialization.Primitives" version="4.3.0" targetFramework="net472" />
<package id="System.Security.Cryptography.Algorithms" version="4.3.1" targetFramework="net472" />
<package id="System.Security.Cryptography.Encoding" version="4.3.0" targetFramework="net472" />
<package id="System.Security.Cryptography.Primitives" version="4.3.0" targetFramework="net472" />
<package id="System.Security.Cryptography.X509Certificates" version="4.3.2" targetFramework="net472" />
</packages>
Upvotes: 1
Views: 903
Answers (2)
MatiasK
Reputation: 756
Updating the Nuget packages to the latest that were compatible with each other solved the problem, see the packages list in the OP.
Thanks @Varun for steering me towards an obvious solution.
Upvotes: 0
Varun Sharma
Reputation: 598
As per the exception message, it looks like Managed identity is not enabled on the VMSS. How did you verify that it is enabled?
Also, can you please specify which Service Bus NuGet package are you using, and what version?
Upvotes: 1
Related Questions
- Azure Service Bus managed identity in Visual Studio returning 401 - Token issuer is invalid
- How to access Azure Service Bus using Function App identity
- Using a managed identity with Azure Service Bus
- Trying to use Managed Identity with Azure Service Bus
- Service Bus in ASP.NET Core
- How to use MSI(Managed Service Identity) with Azure storage emulator?
- Using Windows Azure Service Bus From Silverlight
- Azure service bus System.UnauthorizedAccessException
- Microsoft.ServiceBus.NamespaceManager - Managed Service Identity(MSI)
- Windows service bus 1.1: Add anonymous accessible namespace