Home > Software design >  Azure function consumer gets 401 when using connection string
Azure function consumer gets 401 when using connection string

Time:11-25

I'm very new to Azure mechanisms and I got stuck on this problem.

I have an azure function which is supposed to be triggered by events published on an event hub. I set the sas connection string obtained in the event hub azure portal page (with "manage" grant option) and used the very same key in the EventHubTrigger annotation (It is a Java 11 function)

At first I got an error stating that the function IP was prevented from connection, error I got rid off by checking "allow trusted Microsoft service" in the network settings of the event hub.

Then I got a 401 unauthorized access.

Removing all IPs restrictions from event hub (making it public) it starts to listen and processing the events pushed in the event hub.

Obviously I would like to put those restrictions back but the 401 exception won't stop.

What am I missing?

Edit (Adding function code):

public class Function {
    @FunctionName("feed-collector")
    public void run(
            @EventHubTrigger(name = "collect", consumerGroup = "$Default", connection = "AzureEventHubConnectionString", eventHubName = "feed-ordini", cardinality = Cardinality.MANY)
            String message,
            final ExecutionContext context
    ) {
        context.getLogger().info(message);
    }
}

AzureEventHubConnectionString is defined in the application settings and its value is in the format

Endpoint=sb://[hub-host].servicebus.windows.net/;SharedAccessKeyName=[SasPolicyName];SharedAccessKey=[primarykey]

CodePudding user response:

As per the documentation,

The rights provided by the policy rule can be a combination of:

  • Send – Gives the right to send messages to the entity
  • Listen – Gives the right to listen or receive to the entity
  • Manage – Gives the right to manage the topology of the namespace, including creation and deletion of entities

In your case, since your function is listening on events from the eventhub, you should use a listen policy SAS.

CodePudding user response:

SAS Policy gives the granular scope only at the entity level and not at the consumer level.

It means the privileges defined at the namespace level or the event hub instance or topic level will be applied to the consumer group of that entity.

I set the sas connection string obtained in the event hub azure portal page (with "manage" grant option)

Event hubs token authentication requires its clients to either have the manage rights or the listen privileges assigned to its Event Hubs namespace or event hub instance or topic.

For the Java Code in generating a signature (SAS token) from a policy, refer here.

To read the detailed information about the policy rules like Send, Listen and Manage, limit of rules applied to the namespace or entity policy and the best practices when using SAS, please have a look at this Microsoft documentation.

Page link:https//www.codepudding.com/Softwaredesign/203714.html

Prev:powershell output not array type but string type?
Next:Reading azure databricks logs json file using azure databricks
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding