0
# Authorization and Security
1
2
Access control through authorization rules, access key management, private endpoint configuration, and network security rules. Service Bus provides comprehensive security features including Shared Access Signature (SAS) authentication, Azure Active Directory integration, network isolation, and encryption.
3
4
## Capabilities
5
6
### Shared Access Signature (SAS) Authorization
7
8
Manage authorization rules with granular access rights for different scenarios and applications.
9
10
```python { .api }
11
def list_authorization_rules(
12
self,
13
resource_group_name: str,
14
namespace_name: str
15
) -> ItemPaged[SBAuthorizationRule]:
16
"""List authorization rules for a namespace.
17
18
Args:
19
resource_group_name (str): Name of the resource group.
20
namespace_name (str): Name of the namespace.
21
22
Returns:
23
ItemPaged[SBAuthorizationRule]: Iterable of authorization rules.
24
"""
25
26
def create_or_update_authorization_rule(
27
self,
28
resource_group_name: str,
29
namespace_name: str,
30
authorization_rule_name: str,
31
parameters: SBAuthorizationRule
32
) -> SBAuthorizationRule:
33
"""Create or update an authorization rule.
34
35
Args:
36
resource_group_name (str): Name of the resource group.
37
namespace_name (str): Name of the namespace.
38
authorization_rule_name (str): Name of the authorization rule.
39
parameters (SBAuthorizationRule): Authorization rule configuration.
40
41
Returns:
42
SBAuthorizationRule: The created or updated authorization rule.
43
"""
44
45
def get_authorization_rule(
46
self,
47
resource_group_name: str,
48
namespace_name: str,
49
authorization_rule_name: str
50
) -> SBAuthorizationRule:
51
"""Get an authorization rule.
52
53
Args:
54
resource_group_name (str): Name of the resource group.
55
namespace_name (str): Name of the namespace.
56
authorization_rule_name (str): Name of the authorization rule.
57
58
Returns:
59
SBAuthorizationRule: The authorization rule.
60
"""
61
62
def delete_authorization_rule(
63
self,
64
resource_group_name: str,
65
namespace_name: str,
66
authorization_rule_name: str
67
) -> None:
68
"""Delete an authorization rule.
69
70
Args:
71
resource_group_name (str): Name of the resource group.
72
namespace_name (str): Name of the namespace.
73
authorization_rule_name (str): Name of the authorization rule.
74
"""
75
```
76
77
### Access Key Management
78
79
Generate, retrieve, and regenerate access keys for secure authentication to Service Bus resources.
80
81
```python { .api }
82
def list_keys(
83
self,
84
resource_group_name: str,
85
namespace_name: str,
86
authorization_rule_name: str
87
) -> AccessKeys:
88
"""Get access keys for an authorization rule.
89
90
Args:
91
resource_group_name (str): Name of the resource group.
92
namespace_name (str): Name of the namespace.
93
authorization_rule_name (str): Name of the authorization rule.
94
95
Returns:
96
AccessKeys: Primary and secondary keys with connection strings.
97
"""
98
99
def regenerate_keys(
100
self,
101
resource_group_name: str,
102
namespace_name: str,
103
authorization_rule_name: str,
104
parameters: RegenerateAccessKeyParameters
105
) -> AccessKeys:
106
"""Regenerate access keys for an authorization rule.
107
108
Args:
109
resource_group_name (str): Name of the resource group.
110
namespace_name (str): Name of the namespace.
111
authorization_rule_name (str): Name of the authorization rule.
112
parameters (RegenerateAccessKeyParameters): Key regeneration parameters.
113
114
Returns:
115
AccessKeys: New access keys with connection strings.
116
"""
117
```
118
119
### Private Endpoint Configuration
120
121
Manage private endpoint connections for secure network access to Service Bus namespaces.
122
123
```python { .api }
124
def list(
125
self,
126
resource_group_name: str,
127
namespace_name: str
128
) -> ItemPaged[PrivateEndpointConnection]:
129
"""List private endpoint connections for a namespace.
130
131
Args:
132
resource_group_name (str): Name of the resource group.
133
namespace_name (str): Name of the namespace.
134
135
Returns:
136
ItemPaged[PrivateEndpointConnection]: Iterable of private endpoint connections.
137
"""
138
139
def create_or_update(
140
self,
141
resource_group_name: str,
142
namespace_name: str,
143
private_endpoint_connection_name: str,
144
parameters: PrivateEndpointConnection
145
) -> PrivateEndpointConnection:
146
"""Create or update a private endpoint connection.
147
148
Args:
149
resource_group_name (str): Name of the resource group.
150
namespace_name (str): Name of the namespace.
151
private_endpoint_connection_name (str): Name of the private endpoint connection.
152
parameters (PrivateEndpointConnection): Connection configuration.
153
154
Returns:
155
PrivateEndpointConnection: The private endpoint connection.
156
"""
157
158
def get(
159
self,
160
resource_group_name: str,
161
namespace_name: str,
162
private_endpoint_connection_name: str
163
) -> PrivateEndpointConnection:
164
"""Get a private endpoint connection.
165
166
Args:
167
resource_group_name (str): Name of the resource group.
168
namespace_name (str): Name of the namespace.
169
private_endpoint_connection_name (str): Name of the private endpoint connection.
170
171
Returns:
172
PrivateEndpointConnection: The private endpoint connection.
173
"""
174
175
def delete(
176
self,
177
resource_group_name: str,
178
namespace_name: str,
179
private_endpoint_connection_name: str
180
) -> None:
181
"""Delete a private endpoint connection.
182
183
Args:
184
resource_group_name (str): Name of the resource group.
185
namespace_name (str): Name of the namespace.
186
private_endpoint_connection_name (str): Name of the private endpoint connection.
187
"""
188
```
189
190
### Private Link Resources
191
192
Discover available private link resources for network integration.
193
194
```python { .api }
195
def get(
196
self,
197
resource_group_name: str,
198
namespace_name: str
199
) -> PrivateLinkResourcesListResult:
200
"""Get private link resources for a namespace.
201
202
Args:
203
resource_group_name (str): Name of the resource group.
204
namespace_name (str): Name of the namespace.
205
206
Returns:
207
PrivateLinkResourcesListResult: Available private link resources.
208
"""
209
```
210
211
### Network Rule Set Management
212
213
Configure IP filtering and virtual network access rules for namespace-level security.
214
215
```python { .api }
216
def create_or_update_network_rule_set(
217
self,
218
resource_group_name: str,
219
namespace_name: str,
220
parameters: NetworkRuleSet
221
) -> NetworkRuleSet:
222
"""Create or update network rule set for a namespace.
223
224
Args:
225
resource_group_name (str): Name of the resource group.
226
namespace_name (str): Name of the namespace.
227
parameters (NetworkRuleSet): Network rule configuration.
228
229
Returns:
230
NetworkRuleSet: The network rule set.
231
"""
232
233
def get_network_rule_set(
234
self,
235
resource_group_name: str,
236
namespace_name: str
237
) -> NetworkRuleSet:
238
"""Get network rule set for a namespace.
239
240
Args:
241
resource_group_name (str): Name of the resource group.
242
namespace_name (str): Name of the namespace.
243
244
Returns:
245
NetworkRuleSet: Current network rule set.
246
"""
247
```
248
249
## Usage Examples
250
251
### Creating Authorization Rules with Different Access Rights
252
253
```python
254
from azure.mgmt.servicebus import ServiceBusManagementClient
255
from azure.mgmt.servicebus.models import SBAuthorizationRule, AccessRights
256
from azure.identity import DefaultAzureCredential
257
258
client = ServiceBusManagementClient(DefaultAzureCredential(), subscription_id)
259
260
# Create a send-only authorization rule for message producers
261
send_only_rule = SBAuthorizationRule(
262
rights=[AccessRights.SEND]
263
)
264
265
producer_auth = client.namespaces.create_or_update_authorization_rule(
266
resource_group_name="my-resource-group",
267
namespace_name="my-servicebus-namespace",
268
authorization_rule_name="ProducerPolicy",
269
parameters=send_only_rule
270
)
271
272
# Create a listen-only authorization rule for message consumers
273
listen_only_rule = SBAuthorizationRule(
274
rights=[AccessRights.LISTEN]
275
)
276
277
consumer_auth = client.namespaces.create_or_update_authorization_rule(
278
resource_group_name="my-resource-group",
279
namespace_name="my-servicebus-namespace",
280
authorization_rule_name="ConsumerPolicy",
281
parameters=listen_only_rule
282
)
283
284
# Create a full-access authorization rule for administrative tasks
285
admin_rule = SBAuthorizationRule(
286
rights=[AccessRights.MANAGE, AccessRights.SEND, AccessRights.LISTEN]
287
)
288
289
admin_auth = client.namespaces.create_or_update_authorization_rule(
290
resource_group_name="my-resource-group",
291
namespace_name="my-servicebus-namespace",
292
authorization_rule_name="AdminPolicy",
293
parameters=admin_rule
294
)
295
296
print("Authorization rules created successfully")
297
```
298
299
### Managing Access Keys and Connection Strings
300
301
```python
302
from azure.mgmt.servicebus.models import RegenerateAccessKeyParameters, KeyType
303
304
# Get access keys for an authorization rule
305
keys = client.namespaces.list_keys(
306
resource_group_name="my-resource-group",
307
namespace_name="my-servicebus-namespace",
308
authorization_rule_name="ProducerPolicy"
309
)
310
311
print(f"Primary connection string: {keys.primary_connection_string}")
312
print(f"Secondary connection string: {keys.secondary_connection_string}")
313
print(f"Primary key: {keys.primary_key}")
314
print(f"Secondary key: {keys.secondary_key}")
315
316
# Regenerate the primary key
317
regenerate_params = RegenerateAccessKeyParameters(
318
key_type=KeyType.PRIMARY_KEY
319
)
320
321
new_keys = client.namespaces.regenerate_keys(
322
resource_group_name="my-resource-group",
323
namespace_name="my-servicebus-namespace",
324
authorization_rule_name="ProducerPolicy",
325
parameters=regenerate_params
326
)
327
328
print(f"New primary key: {new_keys.primary_key}")
329
330
# Regenerate with custom key value
331
custom_regenerate_params = RegenerateAccessKeyParameters(
332
key_type=KeyType.SECONDARY_KEY,
333
key="my-custom-key-value-here" # Optional custom key
334
)
335
336
custom_keys = client.namespaces.regenerate_keys(
337
resource_group_name="my-resource-group",
338
namespace_name="my-servicebus-namespace",
339
authorization_rule_name="ProducerPolicy",
340
parameters=custom_regenerate_params
341
)
342
```
343
344
### Configuring Network Security Rules
345
346
```python
347
from azure.mgmt.servicebus.models import (
348
NetworkRuleSet,
349
DefaultAction,
350
NWRuleSetIpRules,
351
NetworkRuleIPAction,
352
NWRuleSetVirtualNetworkRules
353
)
354
355
# Configure IP-based access control
356
ip_rules = [
357
NWRuleSetIpRules(
358
ip_mask="203.0.113.0/24", # Allow entire subnet
359
action=NetworkRuleIPAction.ALLOW
360
),
361
NWRuleSetIpRules(
362
ip_mask="198.51.100.42", # Allow specific IP
363
action=NetworkRuleIPAction.ALLOW
364
)
365
]
366
367
# Configure virtual network rules
368
vnet_rules = [
369
NWRuleSetVirtualNetworkRules(
370
subnet=Subnet(
371
id="/subscriptions/{subscription-id}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}"
372
),
373
ignore_missing_vnet_service_endpoint=False
374
)
375
]
376
377
# Create network rule set
378
network_rules = NetworkRuleSet(
379
trusted_service_access_enabled=True, # Allow trusted Azure services
380
default_action=DefaultAction.DENY, # Deny by default, allow only specified IPs/VNets
381
ip_rules=ip_rules,
382
virtual_network_rules=vnet_rules
383
)
384
385
rule_set = client.namespaces.create_or_update_network_rule_set(
386
resource_group_name="my-resource-group",
387
namespace_name="my-servicebus-namespace",
388
parameters=network_rules
389
)
390
391
print("Network rules configured successfully")
392
```
393
394
### Managing Private Endpoint Connections
395
396
```python
397
from azure.mgmt.servicebus.models import (
398
PrivateEndpointConnection,
399
ConnectionState,
400
PrivateLinkConnectionStatus
401
)
402
403
# List existing private endpoint connections
404
connections = client.private_endpoint_connections.list(
405
resource_group_name="my-resource-group",
406
namespace_name="my-servicebus-namespace"
407
)
408
409
for connection in connections:
410
print(f"Connection: {connection.name}")
411
print(f"Status: {connection.connection_state.status}")
412
print(f"Description: {connection.connection_state.description}")
413
414
# Approve a private endpoint connection
415
connection_state = ConnectionState(
416
status=PrivateLinkConnectionStatus.APPROVED,
417
description="Approved by administrator"
418
)
419
420
updated_connection = client.private_endpoint_connections.create_or_update(
421
resource_group_name="my-resource-group",
422
namespace_name="my-servicebus-namespace",
423
private_endpoint_connection_name="connection-name",
424
parameters=PrivateEndpointConnection(
425
connection_state=connection_state
426
)
427
)
428
429
# Get available private link resources
430
link_resources = client.private_link_resources.get(
431
resource_group_name="my-resource-group",
432
namespace_name="my-servicebus-namespace"
433
)
434
435
for resource in link_resources.value:
436
print(f"Resource: {resource.name}")
437
print(f"Group ID: {resource.group_id}")
438
print(f"Required members: {resource.required_members}")
439
```
440
441
### Implementing Role-Based Access Control
442
443
```python
444
# Create different authorization rules for different application roles
445
446
# Application service that only sends messages
447
app_sender_rule = SBAuthorizationRule(
448
rights=[AccessRights.SEND]
449
)
450
451
client.namespaces.create_or_update_authorization_rule(
452
resource_group_name="my-resource-group",
453
namespace_name="my-servicebus-namespace",
454
authorization_rule_name="AppSenderPolicy",
455
parameters=app_sender_rule
456
)
457
458
# Background service that only processes messages
459
processor_rule = SBAuthorizationRule(
460
rights=[AccessRights.LISTEN]
461
)
462
463
client.namespaces.create_or_update_authorization_rule(
464
resource_group_name="my-resource-group",
465
namespace_name="my-servicebus-namespace",
466
authorization_rule_name="ProcessorPolicy",
467
parameters=processor_rule
468
)
469
470
# Monitoring service that needs to peek at queues
471
monitor_rule = SBAuthorizationRule(
472
rights=[AccessRights.LISTEN] # Listen includes peek capabilities
473
)
474
475
client.namespaces.create_or_update_authorization_rule(
476
resource_group_name="my-resource-group",
477
namespace_name="my-servicebus-namespace",
478
authorization_rule_name="MonitorPolicy",
479
parameters=monitor_rule
480
)
481
482
# Administrative service with full access
483
admin_rule = SBAuthorizationRule(
484
rights=[AccessRights.MANAGE, AccessRights.SEND, AccessRights.LISTEN]
485
)
486
487
client.namespaces.create_or_update_authorization_rule(
488
resource_group_name="my-resource-group",
489
namespace_name="my-servicebus-namespace",
490
authorization_rule_name="AdminPolicy",
491
parameters=admin_rule
492
)
493
494
# Get connection strings for each role
495
app_keys = client.namespaces.list_keys(
496
resource_group_name="my-resource-group",
497
namespace_name="my-servicebus-namespace",
498
authorization_rule_name="AppSenderPolicy"
499
)
500
501
processor_keys = client.namespaces.list_keys(
502
resource_group_name="my-resource-group",
503
namespace_name="my-servicebus-namespace",
504
authorization_rule_name="ProcessorPolicy"
505
)
506
507
print("Role-based access control configured:")
508
print(f"App sender connection: {app_keys.primary_connection_string}")
509
print(f"Processor connection: {processor_keys.primary_connection_string}")
510
```
511
512
## Types
513
514
```python { .api }
515
class SBAuthorizationRule:
516
def __init__(self, **kwargs): ...
517
518
# Authorization rule properties
519
id: Optional[str]
520
name: Optional[str]
521
type: Optional[str]
522
rights: List[Union[str, AccessRights]]
523
524
class AccessKeys:
525
def __init__(self, **kwargs): ...
526
527
# Connection strings for different scenarios
528
primary_connection_string: Optional[str]
529
secondary_connection_string: Optional[str]
530
alias_primary_connection_string: Optional[str] # For GEO DR
531
alias_secondary_connection_string: Optional[str] # For GEO DR
532
533
# Raw access keys
534
primary_key: Optional[str]
535
secondary_key: Optional[str]
536
key_name: Optional[str]
537
538
class RegenerateAccessKeyParameters:
539
def __init__(self, **kwargs): ...
540
541
key_type: Union[str, KeyType] # "PrimaryKey" or "SecondaryKey"
542
key: Optional[str] # Optional custom key value
543
544
class NetworkRuleSet:
545
def __init__(self, **kwargs): ...
546
547
# Network access configuration
548
trusted_service_access_enabled: Optional[bool] # Allow trusted Azure services
549
default_action: Optional[Union[str, DefaultAction]] # "Allow" or "Deny"
550
551
# Access rules
552
virtual_network_rules: Optional[List[NWRuleSetVirtualNetworkRules]]
553
ip_rules: Optional[List[NWRuleSetIpRules]]
554
555
class NWRuleSetIpRules:
556
def __init__(self, **kwargs): ...
557
558
ip_mask: Optional[str] # IP address or CIDR range
559
action: Optional[Union[str, NetworkRuleIPAction]] # "Allow"
560
561
class NWRuleSetVirtualNetworkRules:
562
def __init__(self, **kwargs): ...
563
564
subnet: Optional[Subnet]
565
ignore_missing_vnet_service_endpoint: Optional[bool]
566
567
class Subnet:
568
def __init__(self, **kwargs): ...
569
570
id: Optional[str] # Azure resource ID of the subnet
571
572
class PrivateEndpointConnection:
573
def __init__(self, **kwargs): ...
574
575
# Connection properties
576
id: Optional[str]
577
name: Optional[str]
578
type: Optional[str]
579
580
# Private endpoint details
581
private_endpoint: Optional[PrivateEndpoint]
582
connection_state: Optional[ConnectionState]
583
provisioning_state: Optional[Union[str, EndPointProvisioningState]]
584
585
class ConnectionState:
586
def __init__(self, **kwargs): ...
587
588
status: Optional[Union[str, PrivateLinkConnectionStatus]]
589
description: Optional[str]
590
actions_required: Optional[str]
591
592
class PrivateEndpoint:
593
def __init__(self, **kwargs): ...
594
595
id: Optional[str] # Azure resource ID of the private endpoint
596
597
from enum import Enum
598
599
class AccessRights(str, Enum):
600
MANAGE = "Manage" # Full control including create/delete entities
601
SEND = "Send" # Send messages to entities
602
LISTEN = "Listen" # Receive/peek messages from entities
603
604
class KeyType(str, Enum):
605
PRIMARY_KEY = "PrimaryKey"
606
SECONDARY_KEY = "SecondaryKey"
607
608
class DefaultAction(str, Enum):
609
ALLOW = "Allow"
610
DENY = "Deny"
611
612
class NetworkRuleIPAction(str, Enum):
613
ALLOW = "Allow"
614
615
class PrivateLinkConnectionStatus(str, Enum):
616
PENDING = "Pending"
617
APPROVED = "Approved"
618
REJECTED = "Rejected"
619
DISCONNECTED = "Disconnected"
620
621
class EndPointProvisioningState(str, Enum):
622
CREATING = "Creating"
623
UPDATING = "Updating"
624
DELETING = "Deleting"
625
SUCCEEDED = "Succeeded"
626
CANCELED = "Canceled"
627
FAILED = "Failed"
628
```
629
630
## Security Best Practices
631
632
### Key Management
633
- Use separate authorization rules for different application roles
634
- Regenerate keys regularly and implement key rotation strategies
635
- Use secondary keys for zero-downtime key rotation
636
- Store connection strings securely using Azure Key Vault
637
638
### Network Security
639
- Enable network rules to restrict access to trusted networks
640
- Use private endpoints for secure connectivity from Azure VNets
641
- Configure IP allowlists for on-premises or specific external access
642
- Enable trusted service access for Azure platform services
643
644
### Access Control
645
- Follow principle of least privilege when assigning rights
646
- Use Manage rights only for administrative operations
647
- Separate send and listen operations with different authorization rules
648
- Regularly audit and review authorization rules