diff --git a/sdk/eventgrid/eventgrid/CHANGELOG.md b/sdk/eventgrid/eventgrid/CHANGELOG.md index 42cc86543530..3c7098077a08 100644 --- a/sdk/eventgrid/eventgrid/CHANGELOG.md +++ b/sdk/eventgrid/eventgrid/CHANGELOG.md @@ -3,8 +3,13 @@ ## 4.4.0 (Unreleased) ### Features Added + - With the dropping of support for Node.js versions that are no longer in LTS, the dependency on `@types/node` has been updated to version 12. Read our [support policy](https://github.com/Azure/azure-sdk-for-js/blob/main/SUPPORT.md) for more details. +- `EventGridPublisherClient` now supports Azure Active Directory (AAD) for authentication. When constructing an `EventGridPublisherClient` you may now pass an instance + of a `TokenCredential` as the credential. See the readme for [`@azure/identity`](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity) to learn + more about using Azure Active Directory for authentication. + ### Breaking Changes ### Key Bugs Fixed diff --git a/sdk/eventgrid/eventgrid/README.md b/sdk/eventgrid/eventgrid/README.md index c3ee14fe1be4..2aa4f8bbe8af 100644 --- a/sdk/eventgrid/eventgrid/README.md +++ b/sdk/eventgrid/eventgrid/README.md @@ -110,6 +110,27 @@ const token = generateSharedAccessSignature( ); ``` +#### Using Azure Active Directory (AAD) + +Azure EventGrid provides integration with Azure Active Directory (Azure AD) for identity-based authentication of requests. With Azure AD, you can use role-based access control (RBAC) to grant access to your Azure Event Grid resources to users, groups, or applications. + +To send events to a topic or domain with a `TokenCredential`, the authenticated identity should have the "EventGrid Data Sender" role assigned. + +With the `@azure/identity` package, you can seamlessly authorize requests in both development and production environments. To learn more about Azure Active Directory, see the [`@azure/identity` README](https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/README.md). + +For example, use can use `DefaultAzureCredential` to construct a client which will authenticate using Azure Active Directory: + +```js +const { EventGridPublisherClient } = require("@azure/eventgrid"); +const { DefaultAzureCredential } = require("@azure/identity"); + +const client = new EventGridPublisherClient( + "", + "", + new DefaultAzureCredential() +); +``` + ## Key concepts ### EventGridPublisherClient diff --git a/sdk/eventgrid/eventgrid/review/eventgrid.api.md b/sdk/eventgrid/eventgrid/review/eventgrid.api.md index 5adfbba2e51b..eb92bddd0ae0 100644 --- a/sdk/eventgrid/eventgrid/review/eventgrid.api.md +++ b/sdk/eventgrid/eventgrid/review/eventgrid.api.md @@ -10,6 +10,7 @@ import { CommonClientOptions } from '@azure/core-client'; import { KeyCredential } from '@azure/core-auth'; import { OperationOptions } from '@azure/core-client'; import { SASCredential } from '@azure/core-auth'; +import { TokenCredential } from '@azure/core-auth'; // @public export interface AcsChatEventBase { @@ -400,7 +401,7 @@ export interface EventGridEvent { // @public export class EventGridPublisherClient { - constructor(endpointUrl: string, inputSchema: T, credential: KeyCredential | SASCredential, options?: EventGridPublisherClientOptions); + constructor(endpointUrl: string, inputSchema: T, credential: KeyCredential | SASCredential | TokenCredential, options?: EventGridPublisherClientOptions); readonly apiVersion: string; readonly endpointUrl: string; send(events: InputSchemaToInputTypeMap[T][], options?: SendOptions): Promise; diff --git a/sdk/eventgrid/eventgrid/src/constants.ts b/sdk/eventgrid/eventgrid/src/constants.ts index 86ca700d691f..259798cab767 100644 --- a/sdk/eventgrid/eventgrid/src/constants.ts +++ b/sdk/eventgrid/eventgrid/src/constants.ts @@ -3,3 +3,4 @@ export const SDK_VERSION: string = "4.4.0"; export const DEFAULT_API_VERSION = "2018-01-01"; +export const DEFAULT_EVENTGRID_SCOPE = "https://eventgrid.azure.net/.default"; diff --git a/sdk/eventgrid/eventgrid/src/eventGridClient.ts b/sdk/eventgrid/eventgrid/src/eventGridClient.ts index d2db9cf008d1..1540986ebbc5 100644 --- a/sdk/eventgrid/eventgrid/src/eventGridClient.ts +++ b/sdk/eventgrid/eventgrid/src/eventGridClient.ts @@ -1,11 +1,11 @@ // Copyright (c) Microsoft Corporation. // Licensed under the MIT license. -import { KeyCredential, SASCredential } from "@azure/core-auth"; +import { isTokenCredential, KeyCredential, SASCredential } from "@azure/core-auth"; import { OperationOptions, CommonClientOptions } from "@azure/core-client"; import { eventGridCredentialPolicy } from "./eventGridAuthenticationPolicy"; -import { SDK_VERSION } from "./constants"; +import { SDK_VERSION, DEFAULT_EVENTGRID_SCOPE } from "./constants"; import { SendCloudEventInput, SendEventGridEventInput, @@ -20,6 +20,8 @@ import { cloudEventDistributedTracingEnricherPolicy } from "./cloudEventDistrubt import { createSpan } from "./tracing"; import { SpanStatusCode } from "@azure/core-tracing"; import { v4 as uuidv4 } from "uuid"; +import { TokenCredential } from "@azure/core-auth"; +import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline"; /** * Options for the Event Grid Client. @@ -101,7 +103,7 @@ export class EventGridPublisherClient { constructor( endpointUrl: string, inputSchema: T, - credential: KeyCredential | SASCredential, + credential: KeyCredential | SASCredential | TokenCredential, options: EventGridPublisherClientOptions = {} ) { this.endpointUrl = endpointUrl; @@ -121,7 +123,11 @@ export class EventGridPublisherClient { } this.client = new GeneratedClient(pipelineOptions); - const authPolicy = eventGridCredentialPolicy(credential); + + const authPolicy = isTokenCredential(credential) + ? bearerTokenAuthenticationPolicy({ credential, scopes: DEFAULT_EVENTGRID_SCOPE }) + : eventGridCredentialPolicy(credential); + this.client.pipeline.addPolicy(authPolicy); this.client.pipeline.addPolicy(cloudEventDistributedTracingEnricherPolicy()); this.apiVersion = this.client.apiVersion;