Streaming analytics job can't connect to Azure Event Hub input when using user assigned managed identity.

Question

I am trying to use an Azure event hub as an input for a streaming analytics (SA) job. I want to use a user-assigned managed identity for the SA job. I followed the directions in this documentation: https://learn.microsoft.com/en-us/azure/stream-analytics/event-hubs-managed-identity

When I test the connection to the event hub I get this error:

Permission was granted to the job, but test connection failed. If the error is due to missing permissions please try again in a few minutes. Access to EventHub sb://my-eventhubns.servicebus.windows.net/my-eventhub is not authorized.

Exception Ip has been prevented to connect to the endpoint.

Things tried:

1. Assigned data receiver role to user assigned managed identify in event hub. Then assign managed identify to SA job. After creating SA job input, the permission did not propagate in 24 hours.
2. Also tried assigning the event hub owner, and namespace hubs owner roles. None of these propagated either.
3. If I switch the SA job to use a system assigned managed identity, then I can establish a connection to the event hub. It takes a minute or so to propagate.

Other context:

My event hub namespace networking is setup to allow access to "selected networks", and "Allow trusted Microsoft services to bypass this firewall?" is set to "Yes"

What configuration do I need to use a user assigned managed identity for a SA job to connect with event hub? Is this supported?

Answer 1

@byzantium - Thanks for the question and using MS Q&A platform.

Based on the error message you received, it seems like the permission for the managed identity to access the Event Hub is not yet propagated. You mentioned that you have assigned the data receiver role to the user-assigned managed identity in the Event Hub and then assigned the managed identity to the SA job. However, the permission did not propagate in 24 hours. You also tried assigning the Event Hub owner and namespace hubs owner roles, but none of these propagated either.

When you switch the SA job to use a system-assigned managed identity, you can establish a connection to the Event Hub, but it takes a minute or so to propagate. This suggests that the issue might be related to the user-assigned managed identity.

To use a user-assigned managed identity for a SA job to connect with an Event Hub, you need to make sure that the managed identity has the necessary permissions to access the Event Hub. You can assign the "Azure Event Hubs Data Receiver" role to the managed identity at the Event Hub level or at the Event Hub namespace level.

If you have already assigned the role to the managed identity at the Event Hub level and it has not propagated, you can try assigning the role at the namespace level instead. This will propagate the permission to all Event Hubs created under the namespace.

Once you have assigned the role to the managed identity, you can then assign the managed identity to the SA job. After creating the SA job input, the permission should propagate within a few minutes.

By following the steps mentioned in the official document: Use managed identities to access Event Hubs  from an Azure Stream Analytics job, were able to successfully able to connect as shown below:
Hope this helps. Do let us know if you have any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.