This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
Use Case:
To read the events from Azure Event hub using Storage SAS Token.
Pre-Requisites:
- Azure Event hub Namespace
- Azure Storage Account SAS Token
- Console Application to read the published
Steps to follow:
As a part of the working, Azure Event hub uses storage account while reading events to implement features like checkpointing under the Event Processor Host implementation. For this purpose, it is necessary to pass the storage connection string ,this article can be used in scenario where in we do not want to expose the full storage connection string and only want to authenticate using storage SAS token.
Ready made sample to read events out of event hub using connection string can be found here
To generate SAS token for the storage account, we can either use Azure Portal using the Shared Access Signature blade on storage account or use the below piece of code:
static string GetAccountSASToken()
{
const string ConnectionString = "DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<account-key>";
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List,
Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.File,
ResourceTypes = SharedAccessAccountResourceTypes.Service,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Protocols = SharedAccessProtocol.HttpsOnly
};
return storageAccount.GetSharedAccessSignature(policy);
}
To pass storage SAS token , we need to initialize the EventProcessorHost instance from the readymade code in the below fashion:
var eventProcessorHost = new EventProcessorHost(new Uri(Uristring), EventHubName,
PartitionReceiver.DefaultConsumerGroupName,
TokenProvider.CreateSharedAccessSignatureTokenProvider( KeyName , KeyValue),
new CloudStorageAccount(new StorageCredentials(StorageSasToken), StorageAccountName, null, true),
StorageContainerName);
The format for the parameters is as below:
Uristring = "sb://{event hub namespace}.servicebus.windows.net"
KeyName = Event hub Policy name
KeyValue = Event hub key value
StorageSasToken = Storage SAS token provided by Azure Portal or code.
StorageAccountName = Name of Storage account which would be used.
StorageContainerName = Name of Storage container to acquire lease on.
Running the receive console application, you should be able to read the events from event hub while using SAS token.
Hope this helps!
Is it possible to use blob access policies ? See example below:
// Create the shared access permissions and policy
var blobPermissions = new BlobContainerPermissions()
{
PublicAccess = BlobContainerPublicAccessType.Off, // Turn off public access
};
// Create a new access policy and define its constraints.
// Note that the SharedAccessBlobPolicy class is used both to define the parameters of an ad hoc SAS, and
// to construct a shared access policy that is saved to the container’s shared access policies.
var sharedPolicy = new SharedAccessBlobPolicy()
{
// When the start time for the SAS is omitted, the start time is assumed to be the time when the storage service receives the request.
// Omitting the start time for a SAS that is effective immediately helps to avoid clock skew.
SharedAccessExpiryTime = DateTime.UtcNow.AddYears(100),
SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-120),
Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write |
SharedAccessBlobPermissions.Create | SharedAccessBlobPermissions.List |
SharedAccessBlobPermissions.Delete | SharedAccessBlobPermissions.Add,
};
blobPermissions.SharedAccessPolicies.Add(consumerGroupName, sharedPolicy);
await cloudBlobContainer.SetPermissionsAsync(blobPermissions);