Azure Documentation

Manage Access Policies for Azure Event Hubs

Table of Contents

Introduction

Access policies in Azure Event Hubs are fundamental for securing your event streaming data. They control who can perform specific operations on your Event Hubs namespaces and entities. The primary mechanism for managing access is through Shared Access Signatures (SAS).

Understanding and effectively managing these policies is crucial for maintaining the security and integrity of your data pipelines. This guide will walk you through the concepts and practical steps involved.

Shared Access Signatures (SAS)

Shared Access Signatures (SAS) provide a secure way to delegate access to Event Hubs resources without sharing your connection strings or keys directly. A SAS token is a URI that contains a representation of a token-based security authorization that includes a signature.

SAS tokens have the following components:

  • Resource URI: The URI of the resource to which access is delegated.
  • Expiry Time: The time at which the token expires.
  • Permissions: The set of permissions granted (e.g., Listen, Send, Manage).
  • Signature: A cryptographically generated signature based on the URI, expiry time, and a secret key associated with a SAS policy.

Creating SAS Policies

SAS policies are defined at the Event Hubs namespace level. Each policy is associated with a name, a primary key, and a secondary key. These keys are used to generate SAS tokens.

When you create an Event Hubs namespace, Azure automatically creates a default policy named RootManageSharedAccessKey that grants full manage access. It is highly recommended to create custom policies with the minimum required permissions for your applications.

Permissions available:

  • Manage: Grants full access to manage the namespace and its entities.
  • Send: Grants permission to send events to any entity within the namespace.
  • Listen: Grants permission to listen to events from any entity within the namespace.

Managing Policies in the Azure Portal

The Azure portal provides a user-friendly interface for managing access policies.

  1. Navigate to your Event Hubs namespace in the Azure portal.
  2. In the left-hand menu, under Settings, select Shared access policies.
  3. You will see a list of existing policies. To create a new one, click + Add.
  4. Enter a policy name, select the desired permissions (Listen, Send, Manage), and click Create.
  5. Once created, you can view the primary and secondary connection strings for the policy, which your applications will use to authenticate.

Important: Treat the connection strings with the same care as you would your secrets. Do not embed them directly in client-side code.

Managing Policies with Azure CLI

You can also manage SAS policies using the Azure Command-Line Interface (CLI).

Create a new SAS policy:

az eventhubs namespace authorization-rule create --resource-group <resource-group> --namespace-name <namespace-name> --name <policy-name> --rights Listen Send

List all SAS policies:

az eventhubs namespace authorization-rule list --resource-group <resource-group> --namespace-name <namespace-name>

Get connection strings for a policy:

az eventhubs namespace authorization-rule keys list --resource-group <resource-group> --namespace-name <namespace-name> --name <policy-name>

Managing Policies with Azure PowerShell

Azure PowerShell offers another way to manage your Event Hubs access policies.

Create a new SAS policy:

New-AzEventHubNamespaceAuthorizationRule -ResourceGroup <resource-group> -NamespaceName <namespace-name> -Name <policy-name> -Rights @("Listen", "Send")

List all SAS policies:

Get-AzEventHubNamespaceAuthorizationRule -ResourceGroup <resource-group> -NamespaceName <namespace-name>

Get connection strings for a policy:

Get-AzEventHubNamespaceAuthorizationRule -ResourceGroup <resource-group> -NamespaceName <namespace-name> -Name <policy-name> -Key

Best Practices

  • Principle of Least Privilege: Always grant only the necessary permissions. If an application only needs to send events, give it only the 'Send' permission.
  • Create Custom Policies: Avoid using the RootManageSharedAccessKey for applications. Create dedicated policies for each application or service.
  • Rotate Keys: Regularly rotate the primary and secondary keys for your SAS policies to enhance security.
  • Secure Connection Strings: Store connection strings securely, for example, in Azure Key Vault, and retrieve them at runtime. Never hardcode them.
  • Use Short Expiry Times: When generating SAS tokens manually (not via connection strings), set short expiry times to limit the window of vulnerability if a token is compromised.