Managed Identities and Shared Access Tokens for EventHubs in Azure

Azure EventHubs can be secured via IAM Role Permissions and Resource Access Policies.  They each have their own advantages and disadvantages as discussed in a previous blog posting.  We can see how the various Authorization techniques come together in the Azure Portal.

 GitHub Repository

The Azure portal images in this blog were generated using the 8/2021 version of this Github repository: Azure EventHubs Example

Example Security Posture

Our sample uses different authorization bindings to suit different client types. It applies those bindings at different places in the resource hierarchy.

Individual EventHubs and Namespacesuse Identity Access Management with a Managed Identity and  Standard Azure Roles for some use cases.  They use Shared Access Policies and signed requests for other use cases.

Permissions are applied at the Namespace and individual EventHub levels.  Namespace permissions are in herited by the individual EventHubs.  EventHub permission only applies to individual topics.

Video Walkthrough

In the Portal

We can see our deployed components and permissions in the Azure Portal

Resource Group

The Resource Group is the root of all Azure resources in this example. We can see our EventHubs Namespace and a Managed Identity in the resource group.

Managed Identity

The Managed Identity pane shows all the role assignments for this identity.  It shows the identity-centric view.  Our identity has two Standard Azure resource-bound role assignments.  The identity has Listen and Submit permissions on the namespace.

Resource Group

We go back to the resource group pane to find the EventHubs namespace that we created.

EventHubs namespace

Clicking on the namespace takes us to the namespace management pane which has several views available via the left-hand menu.  The sample code implements two different types of permissions to the namespace.  
  • An Identity that is role bound to the namespace with Send and Listen privileges
  • A SAS token that is bound to the namespace via a Shared Access Policy with Manage privileges.

EventHubs namespace - IAM

The namespace portal has its own IAM pane.  That pane is essentially the inverse of the Identity view shown above.  It presents the Identities and their roles that are bound to this namespace.  The pane shows that our managed identity has two role assignments bound to this namespace.

EventHubs namespace - Shared Access Policies

The namespace has a Shared Access Policy that grants Manage permissions to any caller that signs requests with the SAS Policy secret.  This is a powerful secret that must be secured.

EventHubs in the namespace

There is an EventHub menu item on the left-hand side that you can't see.  It brings up the list of EventHubs in this namespace.  The right-hand pane shows three hubs each with 4-day retention and 15 partitions.  The partition count is essentially the level of parallelism possible with those EventHubs

Individual EventHub - IAM

Thie right-hand pane shows inherited and directly assigned IAM bindings.   It shows all of the identities that have permission to do work with this individual EventHub.  Those permissions could be directly bound to the individual EventHub or inherited via the namespace.

Our managed identity that is bound to the namespace shows up here.  The permissions in the picture are inherited from the namespace.  We saw them in one of the namespace views above.

Individual EventHub - Shared Access Policy.

This EventHub has a shared access policy that lets the SAS presenter send messages to the EventHub.  This lets an entity, that is not hosted in Azure, send messages to this EventHub.  It just needs to sign the request.  The sender could be a 3rd party or a mobile app.

Deploy the demo code and explore for yourself.

Created 2021 08

Comments

Post a Comment

Popular posts from this blog

Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

Image
I do a lot of my development and configuration via ssh into my Raspberry Pi Zero over the RNDIS connection. Some models of the Raspberry PIs can be configured with  gadget drivers  that let the Raspberry pi emulate different devices when plugged into computers via USB. My favorite gadget  is the network profile that makes a Raspberry Pi look like an RNDIS-attached network device.  All types of network services travel over an RNDIS device without knowing it is a USB hardware connection. A Raspberry Pi shows up as a Remote NDIS (RNDIS) device when you plug the Pi into a PC or Mac via a USB cable. The gadget  in the Windows Device Manager picture shows this RNDIS Gadget connectivity between a Windows machine and a Raspberry Pi. The Problem Windows 11 and Windows 10 no longer auto-installs the RNDIS driver that makes magic happen. Windows recognizes that the Raspberry Pi is some type of generic USB COM device. Manually running W indows Update  or  Upd...
Read more

Understanding your WSL2 RAM and swap - Changing the default 50%-25%

Image
The Windows Subsystem for Linux operates as a virtual machine that can dynamically grow the amount of RAM to a maximum set at startup time.  Microsoft sets a default maximum RAM available to 50% of the physical memory and a swap-space that is 1/4 of the maximum WSL RAM.  You can scale those numbers up or down to allocate more or less RAM to the Linux instance. The first drawing shows the default WSL memory and swap space sizing. The images below show a developer machine that is running a dev environment in WSL2 and Docker Desktop.  Docker Desktop has two of its own WSL modules that need to be accounted for.  You can see that the memory would actually be oversubscribed, 3 x 50% if every VM used its maximum memory.  The actual amount of memory used is significantly smaller allowing every piece to fit. Click to Enlarge The second drawing shows the memory allocation on my 64GB laptop. WSL Linux defaul...
Read more

Almost PaaS Document Parsing with Tika and AWS Elastic Beanstalk

Image
The Apache Tika project provides a  library capable of parsing and extracting data and meta data from over 1000 file types.  Tika is available as a single jar file that can be included inside applications or as a deployable jar file that runs Tika as a standalone service. This blog describes deploying the Tika jar as an auto-scale service in Amazon AWS Elastic Beanstalk.  I selected Elastic Beanstalk because it supports jar based deployments without any real Infrastructure configuration. Elastic Beanstalk auto-scale should take care of scaling up and down for for the number of requests you get. Tika parses documents and extracts their text completely in memory. Tika was deployed for this blog using EC2 t2.micro instances available in the AWS free tier. t2.micro VMs are 1GB which means that you are restricted in document complexity and size. You would size your instances appropriately for your largest documents.   Preconditions An AWS account. AWS ac...
Read more