I am able to read events from Iot Hub (Event Hub) when using SAS Key but when I try using Azure Credentials, it gives me the error
What's working:
When trying to use EventHubConnection with the SAS Key, it works as expected, and I am able to read the events using EventHubCOnsumerClient something like this (but with using):
is taken from Event Hub-compatible endpoint from IoT Hub settings, and it looks like this:
"Endpoint=sb://iothub-xxxxxx.servicebus.windows.net/;SharedAccessKeyName=iothubowner;SharedAccessKey=;EntityPath=";
var connection = new EventHubConnection("<MyConnectionString>");
var consumer = new EventHubConsumerClient("<MyConsumerGroup>", connection);
...
await foreach (PartitionEvent partitionEvent in consumer.ReadEventsAsync(cancellationToken).ConfigureAwait(false))
{
Debug.WriteLine("Received message from device");
}
What's not working:
Now, instead of SAS ConnectionString I would like to use AzureCredentials, and specifically AzureCliCredentials. In my scenario, just in case I specify the TenantId in the options as well:
var credential = new AzureCliCredential(new AzureCliCredentialOptions()
{
TenantId = "<MyTenantId>"
});
var connection = new EventHubConnection("<MyEventHubNamespace">, "<MyEventHubName">, credential);
var consumer = new EventHubConsumerClient("<MyConsumerGroup>", connection);
// call the consumer.ReadEventsAsync as earlier
when using that and trying to get the messages, I get the error:
Azure.Messaging.EventHubs.EventHubsException(ServiceCommunicationProblem): InvalidIssuer: Token issuer is invalid.
I put a breakpoint and look inside of the consumer > Connection > InnerClient > _accessToken, and I see that the payload has the correct information, matching my tenant:
(partial)
"aud" : "https://eventhubs.azure.net",
"iss" : "https://sts.windows.net/<MyTenantId>/",
"tid" : "<MyTenantId>"
I also tried to get the token from the cli like this:
`az account get-access-token --resource "https://iothub-xxxxxx.servicebus.windows.net"
and I get very similar values but this time with my reference to service bus, not eventhubs which I was getting originally from the connection:
(partial)
"aud" : "https://iothub-xxxxxx.servicebus.windows.net",
"iss" : "https://sts.windows.net/<MyTenantId>/",
"tid" : "<MyTenantId>"
then I use this token for the connection explicitly and still get the same Token issuer is invalid error.
Thoughts:
It looks like I have setup the sure I have the configuration right about the names of the hub, namespace and tenant, since it does work with SAS Connection string in the first place.
The user I am accessing it with does have the following roles:
but since the error message is about issuer, I do not think this has to do with the roles.
I ran out of ideas on how I could possibly fix it or where to look for.
Any ideas?
In short - you cannot do this.
The built-in Event Hubs namespace that is associated with an IoT Hub instance is provisioned and owned by IoT Hub on your behalf. Because it does not exist in your tenant, identities associated with your tenant are untrusted. This is why the error that you're seeing indicates that the issuer is invalid. As a result, you cannot grant your local development identity access.
You may want to take a look at IoT Hub routing, which allows you to route IoT Hub messages and events to other downstream resources - such as an Event Hubs instance in your own tenant.