Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After upgrade to 8.2.0 AddAzureServiceBus disabled "Local Authentication" (SAS) #5494

Closed
1 task done
ryanheath opened this issue Aug 30, 2024 · 7 comments
Closed
1 task done

After upgrade to 8.2.0 AddAzureServiceBus disabled "Local Authentication" (SAS) #5494

ryanheath opened this issue Aug 30, 2024 · 7 comments
Assignees
@eerhardt
Labels
area-app-model Issues pertaining to the APIs in Aspire.Hosting, e.g. DistributedApplication

Comments

@ryanheath
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

After upgrade to 8.2.0 out Azure ServiceBus "Local Authentication" was disabled.
How can we configure the appHost to keep this enabled?

// Ryan

Expected Behavior

No response

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version info

No response

Anything else?

No response
@dotnet-issue-labeler dotnet-issue-labeler bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Aug 30, 2024
@eerhardt eerhardt self-assigned this Aug 30, 2024
@davidfowl
Copy link
Member

Part of our "secure by default" initiative (#4938):

You should be able to turn it back on with:

builder.AddAzureServiceBus("sb")
       .ConfigureConstruct(c =>
        {
#pragma warning disable AZPROVISION001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
            var ns = c.GetSingleResource<ServiceBusNamespace>()!;
            ns.AssignProperty(p => p.DisableLocalAuth, "false");
future updates. Suppress this diagnostic to proceed.
        })

@eerhardt
Copy link
Member

eerhardt commented Aug 30, 2024
edited
Loading

This change happened in #4938. It is part of our security work to make the Azure resources meet best practices. It is a best practice to use managed identity to connect to Azure Service Bus. See https://learn.microsoft.com/security/benchmark/azure/baselines/service-bus-security-baseline?toc=%2Fazure%2Fservice-bus-messaging%2FTOC.json#im-3-manage-application-identities-securely-and-automatically.

By default, your Aspire app will use managed identity to connect to the Service Bus. So local authentication was disabled.

To keep this enabled, you can use this experimental API:

#pragma warning disable AZPROVISION001 //  Need to use the experimental API to customize the service bus namespace
var sb = builder.AddAzureServiceBus("servicebus", (_, _, serviceBusNamespace) =>
{
    serviceBusNamespace.AssignProperty(p => p.DisableLocalAuth, "false");
})
#pragma warning restore AZPROVISION001 //  Need to use the experimental API to customize the service bus namespace

@eerhardt eerhardt added area-app-model Issues pertaining to the APIs in Aspire.Hosting, e.g. DistributedApplication and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Aug 30, 2024
@eerhardt
Copy link
Member

Closing as answered. Feel free to re-open if this doesn't help.

@eerhardt eerhardt closed this as not planned Won't fix, can't repro, duplicate, stale Aug 30, 2024
@davidfowl
Copy link
Member

@eerhardt do we put this elsewhere?

@eerhardt
Copy link
Member

@eerhardt do we put this elsewhere?

Where are you thinking that people would see it? In our docs? Note we did it for more than just ServiceBus.

#4774

#5041

#4744

@davidfowl
Copy link
Member

Docs and release notes

@ryanheath
Copy link
Author

Thanks guys!

@davidfowl davidfowl mentioned this issue Sep 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eerhardt eerhardt

Labels
area-app-model Issues pertaining to the APIs in Aspire.Hosting, e.g. DistributedApplication
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidfowl @ryanheath @eerhardt