diff --git a/scenarios/jwt_authentication/README.md b/scenarios/jwt_authentication/README.md index 065f71f..c10e699 100644 --- a/scenarios/jwt_authentication/README.md +++ b/scenarios/jwt_authentication/README.md @@ -1,19 +1,10 @@ # :point_right: JWT Authentication to Event Grid -| [Create the Client Certificate](#lock-create-the-client-certificate) | [Configure Event Grid Namespaces](#triangular_ruler-configure-event-grid-namespaces) | [Configure Mosquitto](#fly-configure-mosquitto) | [Run the Sample](#game_die-run-the-sample) | + [Configure Event Grid Namespaces](#triangular_ruler-configure-event-grid-namespaces) | [Run the Sample](#game_die-run-the-sample) | -This scenario showcases how to authenticate to Azure Event Grid via JWT authentication using MQTT 5. This scenario is identical to `getting_started` in functionality. +This scenario showcases how to authenticate to Azure Event Grid via JWT authentication using MQTT 5. This scenario is identical to `getting_started` in functionality. -The sample provides step by step instructions on how to perform following tasks: - -- Create the resources including client, topic spaces, permission bindings -- Use $all client group, which is the default client group with all the clients in a namespace, to authorize publish and subscribe access in permission bindings -- Create a custom role assignment on the Azure Portal to access Event Grid via Json Web Token (JWT) authentication. -- Create a JWT, which is used to authenticate to Event Grid. -- Connect with MQTT 5.0.0 - - Configure connection settings such as KeepAlive and CleanSession -- Publish messages to a topic -- Subscribe to a topic to receive messages +JWT authentication is documented in [Microsoft Entra JWT authentication and Azure RBAC authorization to publish or subscribe MQTT messages](https://learn.microsoft.com/en-us/azure/event-grid/mqtt-client-microsoft-entra-token-and-rbac) from Event Grid documentation. To keep the scenario simple, a single client called "sample_client" publishes and subscribes to MQTT messages on topics shown in the table. @@ -25,39 +16,43 @@ To keep the scenario simple, a single client called "sample_client" publishes an ## Prerequisites This sample involves configuring Event Grid per the specifications in [getting_started](../getting_started). If that sample has not already been set up and run, it should be done before moving onto this one. -## :lock: Configure the Json Web Token and AAD Role Assignments - -1. Modify the following JSON snippet by adding an Azure subscription Id: - -```json -{ - "properties": { - "roleName": "Event Grid Pub-Sub", - "description": "communicate with Event Grid.", - "assignableScopes": [ - "/subscriptions/" - ], - "permissions": [ - { - "actions": [], - "notActions": [], - "dataActions": [ - "Microsoft.EventGrid/*" - ], - "notDataActions": [] - } - ] - } -} +## 🔒 Create an Identity in Microsoft Entra ID + +Event Grid namespaces supports JWT authentication for Managed Identities and Service principals only: + +- **Managed Identity**. You can use a [Managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) provided by many Azure services, such as Azure Container Apps, Azure Container Instances, Azure Kubernetes Services or Azure Web Apps, full list is available [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). + +- **Service Principal**. You can create your own [Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) by creating an Application Registration in Microsoft Entra ID. + +To create the service principal and the secret using the Azure CLI: + +```bash +clientId=(az ad app create --display-name "MyMqttApp" -query AppId -o tsv) + +az ad app credential reset --id $clientId --append ``` -2. Copy the modified snippet and save it locally. -3. In the Azure portal, go to your Resource Group that contains Event Grid and open the Access control (IAM) page. -4. Click Add and then click Add custom role. This opens the custom roles editor. -5. On the `Basics` tab, select `Start from JSON`, and upload the modified JSON file you saved locally. -6. Select the `Review and Create` tab and then `Create`. -7. **NOTE:** It is possible that your Azure account may not have room for more custom role assignments. In this instance the current workaround is to create a free Azure account and complete this process while logged in from there. -## :triangular_ruler: Configure Event Grid Namespaces (Skip if [getting_started](../getting_started) has already been properly configured) +## Assign RBAC permissions + +In Azure EventGrid Namespaces, assign permissions to the Microsoft Entra ID identity using the roles "Event Grid Topic Spaces Publisher/Subscriber" + +```bash +# from the root folder +source az.env + +az role assigment create \ + --assignee $clientId \ + --role "EventGrid TopicSpaces Publisher" \ + --scope $res_id + +az role assigment create \ + --assignee $clientId \ + --role "EventGrid TopicSpaces Subscriber" \ + --scope $res_id +``` + + +## 📐 Configure Event Grid Namespaces (Skip if [getting_started](../getting_started) has already been properly configured) Ensure to create an Event Grid namespace by following the steps in [setup](../setup). Event Grid namespace requires registering the client, and the topic spaces to authorize the publish/subscribe permissions. @@ -66,6 +61,7 @@ Ensure to create an Event Grid namespace by following the steps in [setup](../se We will use the SubjectMatchesAuthenticationName validation scheme for `sample_client`. Instructions for how to do this can be found in [getting_started](../getting_started). If this has already been done once, it does not have to be done again (unless using a different Azure account). ### Create topic spaces and permission bindings + Run the commands to create the "samples" topic space, and the two permission bindings that provide publish and subscribe access to $all client group on the samples topic space. As for above, the instructions to do this are part of [getting_started](../getting_started) and do not have to be repeated if they have already been done in the Azure account being used to run this sample. ## :game_die: Run the Sample