unable to connect to individual topic using the SAS token

[rsingh41]

The service bus topic SAS policy has Send and Listen access however when I use the SAS token at the topic level I get the following error:

<13:24:15> The application is now connected to the sb://.servicebus.windows.net/ service bus namespace.
<13:24:15> MessagingFactory successfully created.
<13:24:15> Failed to retrieve EventHub entities. Exception: System.UnauthorizedAccessException: The remote server returned an error: (401) Unauthorized. claim is empty or token is invalid. TrackingId:3b3548f0-4a4b-4412-a3f7-01710aba1c50_G6, SystemTracker:ais-dev-sb-common.servicebus.windows.net:$Resources/EventHubs, Timestamp:2022-12-12T13:24:15 ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.GetAllTask.d__17.MoveNext()
--- End of inner exception stack trace ---
at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.GetAllTask.d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.RetryResourceTask1.<RunAsync>d__34.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ServiceBus.NamespaceManager.<GetEventHubsAsync>d__75.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at ServiceBusExplorer.Forms.MainForm.<ShowEntities>d__320.MoveNext() in D:\a\ServiceBusExplorer\ServiceBusExplorer\src\ServiceBusExplorer\Forms\MainForm.cs:line 4229 <13:24:18> Failed to retrieve Relay entities. Exception: System.UnauthorizedAccessException: The remote server returned an error: (401) Unauthorized. claim is empty or token is invalid. TrackingId:961da7cf-a475-44f5-9432-1388f0446dac_G6, SystemTracker:ais-dev-sb-common.servicebus.windows.net:$Resources/Relays, Timestamp:2022-12-12T13:24:16 ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.GetAllTask.<OnRunAsync>d__17.MoveNext() --- End of inner exception stack trace --- at ServiceBusExplorer.ServiceBusHelper.GetRelays(Int32 timeoutInSeconds) in D:\a\ServiceBusExplorer\ServiceBusExplorer\src\Common\Helpers\ServiceBusHelper.cs:line 831 at ServiceBusExplorer.Forms.MainForm.<ShowEntities>d__320.MoveNext() in D:\a\ServiceBusExplorer\ServiceBusExplorer\src\ServiceBusExplorer\Forms\MainForm.cs:line 4315 <13:24:18> Failed to retrieve Service Bus queues. Exception: System.ArgumentException: The remote server returned an error: (400) Bad Request. The specified HTTP verb (GET) is not valid. To know more visit https://aka.ms/sbResourceMgrExceptions. . TrackingId:a8c47891-dbad-44b5-bac1-8730ca1e5624_G6, SystemTracker:ais-dev-sb-common:Topic:ftst-sbt-foundationtesting, Timestamp:2022-12-12T13:24:16 ---> System.Net.WebException: The remote server returned an error: (400) Bad Request. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.GetTask1.d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.RetryResourceTask1.<RunAsync>d__34.MoveNext() --- End of inner exception stack trace --- at ServiceBusExplorer.ServiceBusHelper.GetQueueUsingEntityPath(Int32 timeoutInSeconds) in D:\a\ServiceBusExplorer\ServiceBusExplorer\src\Common\Helpers\ServiceBusHelper.cs:line 1624 at ServiceBusExplorer.ServiceBusHelper.GetQueues(String filter, Int32 timeoutInSeconds) in D:\a\ServiceBusExplorer\ServiceBusExplorer\src\Common\Helpers\ServiceBusHelper.cs:line 1599 at ServiceBusExplorer.Forms.MainForm.<ShowEntities>d__320.MoveNext() in D:\a\ServiceBusExplorer\ServiceBusExplorer\src\ServiceBusExplorer\Forms\MainForm.cs:line 4356 <13:24:18> Failed to retrieve Service Bus topics. Exception: System.ArgumentException: The remote server returned an error: (400) Bad Request. The specified HTTP verb (GET) is not valid. To know more visit https://aka.ms/sbResourceMgrExceptions. . TrackingId:19002277-4131-4853-bdee-d5c52b208607_G6, SystemTracker:ais-dev-sb-common:Topic:ftst-sbt-foundationtesting, Timestamp:2022-12-12T13:24:17 ---> System.Net.WebException: The remote server returned an error: (400) Bad Request. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.GetTask1.d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.ServiceBus.Messaging.ServiceBusResourceOperations.RetryResourceTask`1.d__34.MoveNext()
--- End of inner exception stack trace ---
at ServiceBusExplorer.ServiceBusHelper.GetTopicUsingEntityPath(Int32 timeoutInSeconds) in D:\a\ServiceBusExplorer\ServiceBusExplorer\src\Common\Helpers\ServiceBusHelper.cs:line 1779
at ServiceBusExplorer.ServiceBusHelper.GetTopics(String filter, Int32 timeoutInSeconds) in D:\a\ServiceBusExplorer\ServiceBusExplorer\src\Common\Helpers\ServiceBusHelper.cs:line 1754
at ServiceBusExplorer.Forms.MainForm.d__320.MoveNext() in D:\a\ServiceBusExplorer\ServiceBusExplorer\src\ServiceBusExplorer\Forms\MainForm.cs:line 4397

Kindly please update.
Thanks
Ranjit

[ErikMogensen]

That's a big error message!

It may require the Manage permission. Have you tried with that? Also you can remove the services you are not interested in by deselecting them on the Options settings.

[rsingh41]

Hi Erik,

Thank you for your response.
I can confirm that I can connect to individual topics with manage permissions. Howerver we don't want the users to manage the topics. So ideally we dont want to give manage permissions to users. Is that possible?

Look forward to a response.

Kind Regards
Ranjit

[dbzowkakpmguk]

Would be nice if it can work with AAD user name. Is it on your roadmap?

[ErikMogensen]

I can confirm that I can connect to individual topics with manage permissions.

Great!

I can confirm that I can connect to individual topics with manage permissions. Howerver we don't want the users to manage the topics. So ideally we dont want to give manage permissions to users. Is that possible?

I don't know, you have to try. If it does not work, it may be possible to fix. However, to get it fixed within a reasonable timeframe you probably have to do it yourself.

[ErikMogensen]

Would be nice if it can work with AAD user name.

Agree.

Is it on your roadmap?

That is something we would like to see, but it is driven by voluntary efforts so...

[madmalkav]

I can confirm that I can connect to individual topics with manage permissions.

Great!

I can confirm that I can connect to individual topics with manage permissions. Howerver we don't want the users to manage the topics. So ideally we dont want to give manage permissions to users. Is that possible?

I don't know, you have to try. If it does not work, it may be possible to fix. However, to get it fixed within a reasonable timeframe you probably have to do it yourself.

I can think at least a good scenario for this to be implement and used instead of AAD roles: to prevent hitting the RBAC limit on a subscription when you have namespaces with many objects.