Azure Service Bus managed identity in Visual Studio returning 401 - Token issuer is invalid

Question

I'm attempting to access Azure Service Bus using a managed identity from my code. At the moment I'm just trying this locally.

When I debug my code I get the following error

System.UnauthorizedAccessException: Put token failed. status-code: 401, status-description: InvalidIssuer: Token issuer is invalid

Here is my service bus instance

Here is my user with Azure Service Bus Data Owner permissions

And here is my code

_client = new ServiceBusClient("oconnorevents.servicebus.windows.net", new DefaultAzureCredential());

I am logged into Visual Studio as the same user added to the service bus. I also tried logging in via the CLI but it didn't help.

Where am I going wrong here?

I've looked at this similar recent question here but the solutions proposed didn't work for me.

Answer 1

由于我可以访问多个不同的租户，因此 Visual Studio 有时会感到困惑。处理此问题的另一种方法是继续使用 DefaultAzureCredential，但向 Visual Studio 提供有关要使用哪个租户的提示。
首先左键单击您的项目并检查属性，然后：

1. 左键单击“调试”
2. 左键单击“添加”按钮添加环境变量
3. 对于名称，请使用“AZURE_TENANT_ID”，对于值，请使用您的租户 ID。是的，这是图片中的假租户 ID :-)

参考

• https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet
• https://damienbod.com/2020/10/09/using-key-vault-certificates-with-microsoft-identity-web-and-asp-net-core-applications/

Answer 2

通过将以下键添加到 local.settings.json 来指定确切的租户 ID。

"AZURE_TENANT_ID": "your tenant id"

我尝试创建一个天蓝色函数，使用托管身份触发器从服务总线队列接收消息，它对我有用。

Answer 3

如果您使用DefaultAzureCredential身份验证，它将尝试多种凭据类型进行身份验证，如此处所述，其中之一是VisualStudioCredential，但它将对登录 VS 的用户的主 AAD 租户进行身份验证，在您的情况下，我认为服务总线位于不在用户的家庭租户下的订阅。

我也可以在我这边重现您的问题。

解决这个问题，直接使用VisualStudioCredential，然后简单指定TenantIdvia VisualStudioCredentialOptions，就可以正常工作了。

样本：

要查找TenantId，只需导航到您的服务总线订阅所在的Azure Active Directory位置。

TokenCredential tokenCredential = new VisualStudioCredential(new VisualStudioCredentialOptions {TenantId = "xxxxxxx" });
ServiceBusClient client = new ServiceBusClient("xxx.servicebus.windows.net", tokenCredential);