powershell - Generate SAS token for azure service bus queue/topic using New-AzServiceBusAuthorizationRuleSASToken

Question

I have the below code to get the authorization ids of the Service bus and Queue separately

$auth_Ids = (Get-AzServiceBusAuthorizationRule -ResourceGroupName $ResourceGroupName -NamespaceName $NamespaceName).Id
$auth_Id = ($auth_Ids[1] | Out-String)

Running the above gives me Service Bus SAS Policy authorization Id

/subscriptions/XXX/resourcegroups/YYY/providers/Microsoft.ServiceBus/namespaces/YYY-asb/authorizationrules/SASPolicy

Now to get the queue auth id

$qauth_Id = (Get-AzServiceBusAuthorizationRule -ResourceGroupName $ResourceGroupName -NamespaceName $NamespaceName -QueueName $QueueName).Id

Running the above gives me QUEUE SAS Policy authorization Id

/subscriptions/XXX/resourcegroups/YYY/providers/Microsoft.ServiceBus/namespaces/YYY-asb/queues/qname/authorizationrules/Policy

Only difference between the auth_ids is queues/qname/

Now when I call the New-AzServiceBusAuthorizationRuleSASToken to generate a SAS Token the call with queue auth_id works.

This works (qauth_id from queue)

$sastoken = (New-AzServiceBusAuthorizationRuleSASToken -AuthorizationRuleId $qauth_Id -KeyType $PolicyName -ExpiryTime $endtime).SharedAccessSignature 

This doesn't (auth_id from service bus)

$sastoken = (New-AzServiceBusAuthorizationRuleSASToken -AuthorizationRuleId $auth_Id -KeyType $PolicyName -ExpiryTime $endtime).SharedAccessSignature

Unexpected character encountered while parsing value: <. Path '', line | 0, position 0.

I am not sure how to get SAS token to the service bus itself rather than the queue/topic. Do I have to create SAS Policy on each queue or topic to get the SAS token or the SAS Policy at the service bus level is sufficient?

Answer 1

Unexpected character encountered while parsing value: <. Path '', line | 0, position 0.

The error may be you are passing the AuthorizationruleId Incorrect format in the New-AzServiceBusAuthorizationRuleSASToken command.

First I tried AuthorizationruleId with the below command:

$auth_Ids = (Get-AzServiceBusAuthorizationRule -ResourceGroupName xxxx -NamespaceName xxxxx.Id
$auth_Id = ($auth_Ids[1])
$auth_Id

Output:

 /subscriptions/xxxxxx/resourcegroups/xxxxxx/providers/Microsoft.ServiceBus/namespaces/sxxxxxx/authorizationrules/saspolicy

Now I tried with the below command to create an SAS token using the above auth_Id

Command:

$StartTime = Get-Date
$EndTime = $StartTime.AddHours(2.0)
$sastoken = (New-AzServiceBusAuthorizationRuleSASToken -AuthorizationRuleId $auth_Id -KeyType saspolicy -ExpiryTime $EndTime).SharedAccessSignature
$sastoken

Output:

 sr=xxxxx.servicebus.windows.net%2f&sig=%2fl5%2f0Xl9ZAgQ1X1tm98Pb47rqFSP0wJ%2fWBlLrxh9ubA%3d&se=1698853532&skn=saspolicy

Total output:

PS /home/xxxx> $auth_Ids = (Get-AzServiceBusAuthorizationRule -ResourceGroupName xxxx -NamespaceName xxxx).Id
PS /home/xxxx> $auth_Id = ($auth_Ids[1])             
PS /home/xxxx> $auth_Id
/subscriptions/xxxx/resourcegroups/xxxxx/providers/Microsoft.ServiceBus/namespaces/xxxxx/authorizationrules/saspolicy
PS /home/xxxx> $StartTime = Get-Date
PS /home/xxxx> $EndTime = $StartTime.AddHours(2.0)
PS /home/xxxx> $sastoken = (New-AzServiceBusAuthorizationRuleSASToken -AuthorizationRuleId $auth_Id -KeyType saspolicy -ExpiryTime $EndTime).SharedAccessSignature
PS /home/xxxx> $sastoken
 sr=sxxxxx.servicebus.windows.net%2f&sig=%2fl5%2f0xxxxxxxx7rqFSP0wJ%2fWBlLrxh9ubA%3d&se=1698853532&skn=saspolicy
PS /home/xxxx> 
 

The above command executes and creates the SAS token at the namespace level.

Reference:

New-AzServiceBusAuthorizationRuleSASToken (Az.ServiceBus) | Microsoft Learn