You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Managed Service Identity with Azure Event Hubs preview | Microsoft Docs
3
-
description: Use Managed Service Identities with Azure Event Hubs
2
+
title: Managed identities for Azure resources with Azure Event Hubs preview | Microsoft Docs
3
+
description: Use Managed identities for Azure resources with Azure Event Hubs
4
4
services: event-hubs
5
5
documentationcenter: na
6
6
author: ShubhaVijayasarathy
@@ -14,29 +14,33 @@ ms.author: shvija
14
14
15
15
---
16
16
17
-
# Managed Service Identity (preview)
17
+
# Managed identities for Azure resources with Event Hubs
18
18
19
-
A Managed Service Identity (MSI) is a cross-Azure feature that enables you to create a secure identity associated with the deployment under which your application code runs. You can then associate that identity with access-control roles that grant custom permissions for accessing specific Azure resources that your application needs.
19
+
[Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) is a cross-Azure feature that enables you to create a secure identity associated with the deployment under which your application code runs. You can then associate that identity with access-control roles that grant custom permissions for accessing specific Azure resources that your application needs.
20
20
21
-
With MSI, the Azure platform manages this runtime identity. You do not need to store and protect access keys in your application code or configuration, either for the identity itself, or for the resources you need to access. An Event Hubs client app running inside an Azure App Service application or in a virtual machine with enabled MSI support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Event Hubs namespace. When the app connects, Event Hubs binds the MSI context to the client in an operation that is shown in an example later in this article.
21
+
With managed identities, the Azure platform manages this runtime identity. You do not need to store and protect access keys in your application code or configuration, either for the identity itself, or for the resources you need to access. An Event Hubs client app running inside an Azure App Service application or in a virtual machine with managed identities for Azure resources support enabled does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Event Hubs namespace. When the app connects, Event Hubs binds the managed identity's context to the client in an operation that is shown in an example later in this article.
22
22
23
-
Once it is associated with a managed service identity, an Event Hubs client can perform all authorized operations. Authorization is granted by associating an MSI with Event Hubs roles.
23
+
Once it is associated with a managed identity, an Event Hubs client can do all authorized operations. Authorization is granted by associating a managed identity with Event Hubs roles.
24
24
25
25
## Event Hubs roles and permissions
26
26
27
-
For the initial public preview release, you can only add a managed service identity to the "Owner" or "Contributor" roles of an Event Hubs namespace, which grants the identity full control on all entities in the namespace. However, management operations that change the namespace topology are initially supported only though Azure Resource Manager and not through the native Event Hubs REST management interface. This support also means that you cannot use the .NET Framework client [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) object within a managed service identity.
27
+
You can only add a managed identity to the "Owner" or "Contributor" roles of an Event Hubs namespace, which grants the identity full control on all entities in the namespace. However, management operations that change the namespace topology are initially supported only though Azure Resource Manager. It's not through the native Event Hubs REST management interface. This support also means that you cannot use the .NET Framework client [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) object within a managed identity.
28
28
29
-
## Use Event Hubs with a Managed Service Identity
29
+
## Use Event Hubs with managed identities for Azure Resources
30
30
31
-
The following section describes the steps required to create and deploy a sample application that runs under a managed service identity, how to grant that identity access to an Event Hubs namespace, and how the application interacts with event hubs using that identity.
31
+
The following section describes the following steps:
32
+
33
+
1. Create and deploy a sample application that runs under a managed identity.
34
+
2. Grant that identity access to an Event Hubs namespace.
35
+
3. How the application interacts with event hubs using that identity.
32
36
33
37
This introduction describes a web application hosted in [Azure App Service](https://azure.microsoft.com/services/app-service/). The steps required for a VM-hosted application are similar.
34
38
35
39
### Create an App Service web application
36
40
37
41
The first step is to create an App Service ASP.NET application. If you're not familiar with how to do this in Azure, follow [this how-to guide](../app-service/app-service-web-get-started-dotnet-framework.md). However, instead of creating an MVC application as shown in the tutorial, create a Web Forms application.
38
42
39
-
### Set up the managed service identity
43
+
### Set up the managed identity
40
44
41
45
Once you create the application, navigate to the newly created web app in the Azure portal (also shown in the how-to), then navigate to the **Managed Service Identity** page, and enable the feature:
42
46
@@ -46,32 +50,29 @@ Once you've enabled the feature, a new service identity is created in your Azure
46
50
47
51
### Create a new Event Hubs namespace
48
52
49
-
Next, [create an Event Hubs namespace](event-hubs-create.md) in one of the Azure regions that has preview support for MSI: **US East**, **US East 2**, or **West Europe**.
53
+
Next, [create an Event Hubs namespace](event-hubs-create.md) in one of the Azure regions that has preview support for managed identities for Azure resources: **US East**, **US East 2**, or **West Europe**.
50
54
51
-
Navigate to the namespace **Access Control (IAM)** page on the portal, and then click **Add** to add the managed service identity to the **Owner** role. To do so, search for the name of the web application in the **Add permissions** panel **Select** field, and then click the entry. Then click **Save**.
55
+
Navigate to the namespace **Access Control (IAM)** page on the portal, and then click **Add** to add the managed identity to the **Owner** role. To do so, search for the name of the web application in the **Add permissions** panel **Select** field, and then click the entry. Then click **Save**.
The managed service identity for the web application now has access to the Event Hubs namespace, and to the event hub you previously created.
59
+
The managed identity for the web application now has access to the Event Hubs namespace, and to the event hub you previously created.
56
60
57
61
### Run the app
58
62
59
63
Now modify the default page of the ASP.NET application you created. You can also use the web application code from [this GitHub repository](https://github.com/Azure/azure-event-hubs/tree/master/samples/DotNet/MSI/EventHubsMSIDemoWebApp).
60
64
61
-
>[!NOTE]
62
-
> While the MSI feature is in preview, be sure to use the [preview version of the Service Bus library](https://www.nuget.org/packages/WindowsAzure.ServiceBus/4.2.2-preview) in order to access the new APIs.
63
-
64
-
Once you start the app, point your browser to EventHubsMSIDemo.aspx. Alternatively, set it as your start page. The code can be found in the EventHubsMSIDemo.aspx.cs file. The result is a minimal web application with a few entry fields, and with **send** and **receive** buttons that connect to Event Hubs to either send or receive events.
65
+
Once you start the app, point your browser to EventHubsMSIDemo.aspx. You can also set it as your start page. The code can be found in the EventHubsMSIDemo.aspx.cs file. The result is a minimal web application with a few entry fields, and with **send** and **receive** buttons that connect to Event Hubs to either send or receive events.
65
66
66
-
Note how the [MessagingFactory](/dotnet/api/microsoft.servicebus.messaging.messagingfactory) object is initialized. Instead of using the Shared Access Token (SAS) token provider, the code creates a token provider for the managed service identity with the `TokenProvider.CreateManagedServiceIdentityTokenProvider(ServiceAudience.EventHubAudience)` call. As such, there are no secrets to retain and use. The flow of the managed service identity context to Event Hubs and the authorization handshake are automatically handled by the token provider, which is a simpler model than using SAS.
67
+
Note how the [MessagingFactory](/dotnet/api/microsoft.servicebus.messaging.messagingfactory) object is initialized. Instead of using the Shared Access Token (SAS) token provider, the code creates a token provider for the managed identity with the `TokenProvider.CreateManagedServiceIdentityTokenProvider(ServiceAudience.EventHubAudience)` call. As such, there are no secrets to save and use. The flow of the managed identity context to Event Hubs and the authorization handshake are automatically handled by the token provider, which is a simpler model than using SAS.
67
68
68
-
Once you have made these changes, publish and run the application. An easy way to obtain the correct publishing data is to download and then import a publishing profile in Visual Studio:
69
+
After you make these changes, publish and run the application. You can get the correct publishing data by downloading and then importing a publishing profile in Visual Studio:
To send or receive messages, enter the name of the namespace and the name of the entity you created, then click either **send** or **receive**.
73
74
74
-
Note that the managed service identity only works inside the Azure environment, and only in the App Service deployment in which you configured it. Also note that managed service identities do not work with App Service deployment slots at this time.
75
+
The managed identity works only inside the Azure environment, and only in the App Service deployment in which you configured it. Managed identities do not work with App Service deployment slots at this time.
75
76
76
77
## Next steps
77
78
@@ -80,4 +81,4 @@ For more information about Event Hubs, visit the following links:
80
81
* Get started with an [Event Hubs tutorial](event-hubs-dotnet-standard-getstarted-send.md)
0 commit comments