Merge pull request #221049 from alexwolfmsft/storage-queues-passwordless

v-stsavell · web-flow · commit 27ff78c7b732 · 2022-12-14T15:59:02.000-06:00
first draft
diff --git a/articles/storage/queues/storage-quickstart-queues-dotnet.md b/articles/storage/queues/storage-quickstart-queues-dotnet.md
@@ -1,21 +1,21 @@
 ---
-title: "Quickstart: Azure Queue Storage client library v12 - .NET"
-description: Learn how to use the Azure Queue Storage client library v12 for .NET to create a queue and add messages to the queue. Next, you learn how to read and delete messages from the queue. You'll also learn how to delete a queue.
+title: "Quickstart: Azure Queue Storage client library - .NET"
+description: Learn how to use the Azure Queue Storage client library for .NET to create a queue and add messages to the queue. Next, you learn how to read and delete messages from the queue. You'll also learn how to delete a queue.
 author: normesta
 ms.author: normesta
 ms.date: 07/24/2020
 ms.topic: quickstart
 ms.service: storage
 ms.subservice: queues
 ms.devlang: csharp
-ms.custom: devx-track-csharp, mode-api
+ms.custom: devx-track-csharp, mode-api, passwordless-dotnet
 ---
 
-# Quickstart: Azure Queue Storage client library v12 for .NET
+# Quickstart: Azure Queue Storage client library for .NET
 
 Get started with the Azure Queue Storage client library version 12 for .NET. Azure Queue Storage is a service for storing large numbers of messages for later retrieval and processing. Follow these steps to install the package and try out example code for basic tasks.
 
-Use the Azure Queue Storage client library v12 for .NET to:
+Use the Azure Queue Storage client library for .NET to:
 
 - Create a queue
 - Add messages to a queue
@@ -40,22 +40,22 @@ Additional resources:
 
 ## Setting up
 
-This section walks you through preparing a project to work with the Azure Queue Storage client library v12 for .NET.
+This section walks you through preparing a project to work with the Azure Queue Storage client library for .NET.
 
 ### Create the project
 
-Create a .NET Core application named `QueuesQuickstartV12`.
+Create a .NET Core application named `QueuesQuickstart`.
 
-1. In a console window (such as cmd, PowerShell, or Bash), use the `dotnet new` command to create a new console app with the name `QueuesQuickstartV12`. This command creates a simple "hello world" C# project with a single source file named `Program.cs`.
+1. In a console window (such as cmd, PowerShell, or Bash), use the `dotnet new` command to create a new console app with the name `QueuesQuickstart`. This command creates a simple "hello world" C# project with a single source file named `Program.cs`.
 
    ```console
-   dotnet new console -n QueuesQuickstartV12
+   dotnet new console -n QueuesQuickstart
    ```
 
-1. Switch to the newly created `QueuesQuickstartV12` directory.
+1. Switch to the newly created `QueuesQuickstart` directory.
 
    ```console
-   cd QueuesQuickstartV12
+   cd QueuesQuickstart
    ```
 
 ### Install the package
@@ -68,14 +68,9 @@ dotnet add package Azure.Storage.Queues
 
 ### Set up the app framework
 
-From the project directory:
-
-1. Open the `Program.cs` file in your editor
-1. Remove the `Console.WriteLine("Hello, World");` statement
-1. Add `using` directives
-1. Update the `Main` method declaration to [support async code](/dotnet/csharp/whats-new/csharp-7#async-main)
-
-Here's the code:
+1. Open the project in your editor of choice
+1. Open the `program.cs` file
+1. Update the existing code to match the following:
 
 ```csharp
 using Azure;
@@ -84,19 +79,26 @@ using Azure.Storage.Queues.Models;
 using System;
 using System.Threading.Tasks;
 
-namespace QueuesQuickstartV12
-{
-    class Program
-    {
-        static async Task Main(string[] args)
-        {
-        }
-    }
-}
+Console.WriteLine("Hello, World!");
+
 ```
 
+## Authenticate to Azure
+
+[!INCLUDE [passwordless-overview](../../../includes/passwordless/passwordless-overview.md)]
+
+## [Passwordless (Recommended)](#tab/passwordless)
+
+[!INCLUDE [dotnet-default-azure-credential-overview](../../../includes/passwordless/dotnet-default-azure-credential-overview.md)]
+
+[!INCLUDE [storage-queues-create-assign-roles](../../../includes/passwordless/storage-queues/storage-queues-assign-roles.md)]
+
+## [Connection String](#tab/connection-string)
+
 [!INCLUDE [storage-quickstart-credentials-include](../../../includes/storage-quickstart-credentials-include.md)]
 
+---
+
 ## Object model
 
 Azure Queue Storage is a service for storing large numbers of messages. A queue message can be up to 64 KB in size. A queue may contain millions of messages, up to the total capacity limit of a storage account. Queues are commonly used to create a backlog of work to process asynchronously. Queue Storage offers three types of resources:
@@ -119,23 +121,71 @@ Use the following .NET classes to interact with these resources:
 
 These example code snippets show you how to perform the following actions with the Azure Queue Storage client library for .NET:
 
-- [Get the connection string](#get-the-connection-string)
-- [Create a queue](#create-a-queue)
+- [Authenticate and create the client](#add-the-azure-identity-client-library)
+- [Create a queue](#create-a-queue-using-the-queueclient)
 - [Add messages to a queue](#add-messages-to-a-queue)
 - [Peek at messages in a queue](#peek-at-messages-in-a-queue)
 - [Update a message in a queue](#update-a-message-in-a-queue)
 - [Receive messages from a queue](#receive-messages-from-a-queue)
 - [Delete messages from a queue](#delete-messages-from-a-queue)
 - [Delete a queue](#delete-a-queue)
 
+## [Passwordless (Recommended)](#tab/passwordless)
+
+### Add the Azure Identity client library
+
+[!INCLUDE [default-azure-credential-sign-in](../../../includes/passwordless/default-azure-credential-sign-in.md)]
+
+You can authenticate a `QueueClient` to Storage Queue using `DefaultAzureCredential` by adding the `Azure.Identity` NuGet package to your application. `DefaultAzureCredential` will automatically discover and use the account you signed-in with in the previous step.
+
+```dotnetcli
+dotnet add package Azure.Identity
+```
+
+At the top of the `Program.cs` file, add a using directive for the `Azure.Identity` namespace.
+
+```csharp
+using Azure.Identity
+```
+
+### Create a queue using the QueueClient
+
+Decide on a name for the new queue. The following code appends a GUID value to the queue name to ensure that it's unique.
+
+> [!IMPORTANT]
+> Queue names may only contain lowercase letters, numbers, and hyphens, and must begin with a letter or a number. Each hyphen must be preceded and followed by a non-hyphen character. The name must also be between 3 and 63 characters long. For more information, see [Naming queues and metadata](/rest/api/storageservices/naming-queues-and-metadata).
+
+Create an instance of the [`QueueClient`](/dotnet/api/azure.storage.queues.queueclient) class. Then, call the [`CreateAsync`](/dotnet/api/azure.storage.queues.queueclient.createasync) method to create the queue in your storage account.
+
+Add the code below to the end of the `Program.cs` file. Make sure to replace the `"<your-storage-account-name>` placeholder value.
+
+```csharp
+// Create a unique name for the queue
+// TODO: Replace the <your-storage-account-name> placeholder 
+string queueName = "quickstartqueues-" + Guid.NewGuid().ToString();
+string storageAccountName = "<your-storage-account-name>";
+
+Console.WriteLine($"Creating queue: {queueName}");
+
+// Instantiate a QueueClient to create and manipulate the queue
+QueueClient queueClient = new QueueClient(
+    new Uri($"https://{storageAccountName}.queue.core.windows.net/{queueName}"),
+    new DefaultAzureCredential());
+
+// Create the queue
+await queueClient.CreateAsync();
+```
+
+## [Connection String](#tab/connection-string)
+
 ### Get the connection string
 
 The following code retrieves the connection string for the storage account. The connection string is stored in the environment variable created in the [Configure your storage connection string](#configure-your-storage-connection-string) section.
 
-Add this code inside the `Main` method:
+Add this code to the end of the `Program.cs` file:
 
 ```csharp
-Console.WriteLine("Azure Queue Storage client library v12 - .NET quickstart sample\n");
+Console.WriteLine("Azure Queue Storage client library - .NET quickstart sample\n");
 
 // Retrieve the connection string for use with the application. The storage
 // connection string is stored in an environment variable called
@@ -146,7 +196,7 @@ Console.WriteLine("Azure Queue Storage client library v12 - .NET quickstart samp
 string connectionString = Environment.GetEnvironmentVariable("AZURE_STORAGE_CONNECTION_STRING");
 ```
 
-### Create a queue
+### Create a queue using the QueueClient
 
 Decide on a name for the new queue. The following code appends a GUID value to the queue name to ensure that it's unique.
 
@@ -155,7 +205,7 @@ Decide on a name for the new queue. The following code appends a GUID value to t
 
 Create an instance of the [`QueueClient`](/dotnet/api/azure.storage.queues.queueclient) class. Then, call the [`CreateAsync`](/dotnet/api/azure.storage.queues.queueclient.createasync) method to create the queue in your storage account.
 
-Add this code to the end of the `Main` method:
+Add this code to the end of the `Program.cs` file:
 
 ```csharp
 // Create a unique name for the queue
@@ -171,11 +221,16 @@ QueueClient queueClient = new QueueClient(connectionString, queueName);
 await queueClient.CreateAsync();
 ```
 
+> [!IMPORTANT]
+> The account access key should be used with caution. If your account access key is lost or accidentally placed in an insecure location, your service may become vulnerable. Anyone who has the access key is able to authorize requests against the storage account, and effectively has access to all the data. `DefaultAzureCredential` provides enhanced security features and benefits and is the recommended approach for managing authorization to Azure services
+
+---
+
 ### Add messages to a queue
 
 The following code snippet asynchronously adds messages to queue by calling the [`SendMessageAsync`](/dotnet/api/azure.storage.queues.queueclient.sendmessageasync) method. It also saves a [`SendReceipt`](/dotnet/api/azure.storage.queues.models.sendreceipt) returned from a `SendMessageAsync` call. The receipt is used to update the message later in the program.
 
-Add this code to the end of the `Main` method:
+Add this code to the end of the `Program.cs` file:
 
 ```csharp
 Console.WriteLine("\nAdding messages to the queue...");
@@ -192,7 +247,7 @@ SendReceipt receipt = await queueClient.SendMessageAsync("Third message");
 
 Peek at the messages in the queue by calling the [`PeekMessagesAsync`](/dotnet/api/azure.storage.queues.queueclient.peekmessagesasync) method. This method retrieves one or more messages from the front of the queue but doesn't alter the visibility of the message.
 
-Add this code to the end of the `Main` method:
+Add this code to the end of the `Program.cs` file:
 
 ```csharp
 Console.WriteLine("\nPeek at the messages in the queue...");
@@ -222,7 +277,7 @@ await queueClient.UpdateMessageAsync(receipt.MessageId, receipt.PopReceipt, "Thi
 
 Download previously added messages by calling the [`ReceiveMessagesAsync`](/dotnet/api/azure.storage.queues.queueclient.receivemessagesasync) method.
 
-Add this code to the end of the `Main` method:
+Add this code to the end of the `Program.cs` file:
 
 ```csharp
 Console.WriteLine("\nReceiving messages from the queue...");
@@ -233,11 +288,11 @@ QueueMessage[] messages = await queueClient.ReceiveMessagesAsync(maxMessages: 10
 
 ### Delete messages from a queue
 
-Delete messages from the queue after they're been processed. In this case, processing is just displaying the message on the console.
+Delete messages from the queue after they've been processed. In this case, processing is just displaying the message on the console.
 
 The app pauses for user input by calling `Console.ReadLine` before it processes and deletes the messages. Verify in your [Azure portal](https://portal.azure.com) that the resources were created correctly, before they're deleted. Any messages not explicitly deleted will eventually become visible in the queue again for another chance to process them.
 
-Add this code to the end of the `Main` method:
+Add this code to the end of the `Program.cs` file:
 
 ```csharp
 Console.WriteLine("\nPress Enter key to 'process' messages and delete them from the queue...");
@@ -259,7 +314,7 @@ foreach (QueueMessage message in messages)
 
 The following code cleans up the resources the app created by deleting the queue using the [`DeleteAsync`](/dotnet/api/azure.storage.queues.queueclient.deleteasync) method.
 
-Add this code to the end of the `Main` method:
+Add this code to the end of the `Program.cs` file:
 
 ```csharp
 Console.WriteLine("\nPress Enter key to delete the queue...");
@@ -289,7 +344,7 @@ dotnet run
 The output of the app is similar to the following example:
 
 ```output
-Azure Queue Storage client library v12 - .NET quickstart sample
+Azure Queue Storage client library - .NET quickstart sample
 
 Creating queue: quickstartqueues-5c72da2c-30cc-4f09-b05c-a95d9da52af2
 
diff --git a/includes/passwordless/storage-queues/storage-queues-assign-roles.md b/includes/passwordless/storage-queues/storage-queues-assign-roles.md
@@ -0,0 +1,74 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 10/11/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+When developing locally, make sure that the user account that is accessing the queue data has the correct permissions. You'll need **Storage Queue Data Contributor** to read and write queue data. To assign yourself this role, you'll need to be assigned the **User Access Administrator** role, or another role that includes the **Microsoft.Authorization/roleAssignments/write** action. You can assign Azure RBAC roles to a user using the Azure portal, Azure CLI, or Azure PowerShell. You can learn more about the available scopes for role assignments on the [scope overview](../../../articles/role-based-access-control/scope-overview.md) page.
+
+In this scenario, you'll assign permissions to your user account, scoped to the storage account, to follow the [Principle of Least Privilege](../../../articles/active-directory/develop/secure-least-privileged-access.md). This practice gives users only the minimum permissions needed and creates more secure production environments.
+
+The following example will assign the **Storage Queue Data Contributor** role to your user account, which provides both read and write access to queue data in your storage account.
+
+> [!IMPORTANT]
+> In most cases it will take a minute or two for the role assignment to propagate in Azure, but in rare cases it may take up to eight minutes. If you receive authentication errors when you first run your code, wait a few moments and try again.
+
+### [Azure portal](#tab/roles-azure-portal)
+
+1. In the Azure portal, locate your storage account using the main search bar or left navigation.
+
+2. On the storage account overview page, select **Access control (IAM)** from the left-hand menu.
+
+3. On the **Access control (IAM)** page, select the **Role assignments** tab.
+
+4. Select **+ Add** from the top menu and then **Add role assignment** from the resulting drop-down menu.
+
+:::image type="content" source="../../../articles/storage/common/media/assign-role-system-identity.png" alt-text="A screenshot showing how to assign a role.":::
+
+5. Use the search box to filter the results to the desired role. For this example, search for *Storage Queue Data Contributor* and select the matching result and then choose **Next**.
+
+6. Under **Assign access to**, select **User, group, or service principal**, and then choose **+ Select members**.
+
+7. In the dialog, search for your Azure AD username (usually your *user@domain* email address) and then choose **Select** at the bottom of the dialog.
+
+8. Select **Review + assign** to go to the final page, and then **Review + assign** again to complete the process.
+
+### [Azure CLI](#tab/roles-azure-cli)
+
+To assign a role at the resource level using the Azure CLI, you first must retrieve the resource id using the `az storage account show` command. You can filter the output properties using the `--query` parameter.
+
+```azurecli
+az storage account show --resource-group '<your-resource-group-name>' --name '<your-storage-account-name>' --query id
+```
+
+Copy the output `Id` from the preceding command. You can then assign roles using the [az role](/cli/azure/role) command of the Azure CLI.
+
+```azurecli
+az role assignment create --assignee "<user@domain>" \
+    --role "Storage Queue Data Contributor" \
+    --scope "<your-resource-id>"
+```
+
+### [PowerShell](#tab/roles-powershell)
+
+To assign a role at the resource level using Azure PowerShell, you first must retrieve the resource ID using the `Get-AzResource` command.
+
+```azurepowershell
+Get-AzResource -ResourceGroupName "<yourResourceGroupname>" -Name "<yourStorageAccountName>"
+```
+
+Copy the `Id` value from the preceding command output. You can then assign roles using the [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) command in PowerShell.
+
+```azurepowershell
+New-AzRoleAssignment -SignInName <user@domain> `
+    -RoleDefinitionName "Storage Queue Data Contributor" `
+    -Scope <yourStorageAccountId>
+```
+
+---
