Does Service Bus Trigger for Azure Function need Manage access rights to Service Bus Queue/Topic?

Question

I have found 2 documents from Microsoft that seem (to me at least) to give a conflicting information on whether I should use Listen or Manage access rights.

Scale efficiency: For Service Bus triggers, use Manage rights on resources for the most efficient scaling. With Listen rights, scaling isn't as accurate because the queue length can't be used to inform scaling decisions. To learn more about setting rights in Service Bus access policies, see Shared Access Authorization Policy. For Event Hub triggers, see the scaling guidance in the reference article.

From Event-driven scaling in Azure Functions documentation.

Access rights for the connection string. Available values are manage and listen. The default is manage, which indicates that the connection has the Manage permission. If you use a connection string that does not have the Manage permission, set accessRights to "listen". Otherwise, the Functions runtime might fail trying to do operations that require manage rights. In Azure Functions version 2.x and higher, this property is not available because the latest version of the Service Bus SDK doesn't support manage operations.

From Azure Service Bus trigger for Azure Functions documentation.

What I read from this is that the first says it's better to use Manage access rights, but the second one says it's not even supported. The second doc is not very clear, but it seems that Listen is the only option now.

Do I understand something wrong or it's the documentation that is misleading here? Is it worth giving manage access rights or it won't affect anything as the second documentation seem to mean?

Answer 1

It seems even though Listen should be enough, it is not in Service Bus Trigger case. I first got a message from Azure Support as well that Listen is enough, and it mostly worked. But once a week during rescaling/restarting of app service I got a dead lettered message that never reached my function. The infrastructure in Azure failed, and I got a reply from Microsoft that I need to turn on Manage rights, as these rights missing is what caused this (function infrastructure for some reason tries to preform a manage operation and fails handling a message 10 times in a row).

So even though Manage should be optional, it seems there are some problem that make it mandatory in reality. I do believe this is a bug in the Azure infrastructure though.

Answer 2

Listen rights should be enough, Manage rights will only cause difference in the sensitivity of scale controller's scale out/in behavior which is mentioned to be "more efficient" in official document; it doesn’t mean Listen right will not work at all regarding scaling.

Internally, scale controller has a lot of rules to determine if more workers should be assigned to function app; besides the rule from Manage rights, if you are using Listen rights, the rest of the scale in/out rules for dynamic function app still applies(e.g. when the message's queue length is increasing, etc).

Your function app's overall scale out behaviour should not be significantly affected if you are considering which rights is the correct one to use, Manage rights just brings one more scale in/out rule.

Answer 3

Listen should be the only thing the Function needs - especially assuming you will not deploy a v1 Function anymore.