Azure Service Bus can be used by clients with two different authentication mechanisms – either through Shared access policies with Manage, Send and Listen capabilities or through the Role-based access control (RBAC). The latter one is recommended as it also allows you to make use of Managed Identites instead of relying on connection strings. In this post we’ll take a look at how this can be set up using Bicep and connected to an ASP.NET Core app.
Btw. you can run both mechanisms in parallel for example if you need to connect a client that does not support Managed Identities.
First we create our service bus and output its name for later reference.
Next we create a reusable module to assign Service Bus roles to Managed Identites e.g. for WebApps or Functions. There are three different roles available: Reader, Sender and Owner. Each have their own global role Id that we need to use depending on the permissions we want to set.
Lastly we call the role assignment modules with the apps Principal Id, Service Bus name and desired role name. In this example we have a function app that listens to queue messages and a web app that can send them.