Merge pull request #298984 from PatAltimore/patricka-release-2504-aio

prmerger-automator[bot] · web-flow · commit 8a8ee5e202cc · 2025-04-28T22:22:44.000Z
Add CLI to broker authorization
diff --git a/articles/iot-operations/manage-mqtt-broker/howto-configure-authorization.md b/articles/iot-operations/manage-mqtt-broker/howto-configure-authorization.md
@@ -7,7 +7,7 @@ ms.subservice: azure-mqtt-broker
 ms.topic: how-to
 ms.custom:
   - ignite-2023
-ms.date: 11/11/2024
+ms.date: 04/28/2025
 
 #CustomerIntent: As an operator, I want to configure authorization so that I have secure MQTT broker communications.
 ms.service: azure-iot-operations
@@ -43,6 +43,64 @@ The following example shows how to create a BrokerAuthorization resource by usin
 
     :::image type="content" source="media/howto-configure-authorization/authorization-rules.png" alt-text="Screenshot that shows using the Azure portal to create broker authorization rules.":::
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker authz apply](/cli/azure/iot/ops/broker/authz#az-iot-ops-broker-authz-apply) command to create or change an authorization policy.
+
+```azurecli
+az iot ops broker authz apply --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker <BrokerName> --name <AuthenticationResourceName> --config-file <ConfigFilePathAndName>
+```
+
+In this example, assume a configuration file named `my-authz-policy.json` with the following content stored in the user's home directory:
+
+```json
+{
+  "authorizationPolicies": {
+    "cache": "Enabled",
+    "rules": [
+      {
+        "brokerResources": [
+          {
+            "clientIds": [],
+            "method": "Connect",
+            "topics": []
+          },
+          {
+            "clientIds": [],
+            "method": "Publish",
+            "topics": [
+              "odd-numbered-orders"
+            ]
+          },
+          {
+            "clientIds": [],
+            "method": "Subscribe",
+            "topics": [
+              "orders"
+            ]
+          }
+        ],
+        "principals": {
+          "attributes": [
+            {
+              "group": "authz-sat"
+            }
+          ],
+          "clientIds": [],
+          "usernames": []
+        }
+      }
+    ]
+  }
+}
+```
+
+An example command to create a new authorization policy named `my-authz-policy` is:
+
+```azurecli
+az iot ops broker authn apply --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name my-authz-policy --config-file ~/my-authz-policy.json
+```
+
 # [Bicep](#tab/bicep)
 
 To edit an authorization policy, create a `.bicep` file with the following content. Update the settings as needed, and replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
@@ -217,6 +275,59 @@ In the broker authorization rules for your authorization policy, use the followi
 ]
 ```
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker authz apply](/cli/azure/iot/ops/broker/authz#az-iot-ops-broker-authz-apply) command to create or change an authorization policy.
+
+```azurecli
+az iot ops broker authz apply --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker <BrokerName> --name <AuthenticationResourceName> --config-file <ConfigFilePathAndName>
+```
+In the broker authorization rules for your authorization policy, create a configuration file named `client-id-policy.json` with the following configuration stored in the user's home directory:
+
+```json
+{
+  "authorizationPolicies": {
+    "cache": "Enabled",
+    "rules": [
+      {
+        "brokerResources": [
+          {
+            "clientIds": [
+              "{principal.attributes.building}*"
+            ],
+            "method": "Connect",
+            "topics": []
+          },
+          {
+            "clientIds": [],
+            "method": "Publish",
+            "topics": [
+              "sensors/{principal.attributes.building}/{principal.clientId}/telemetry"
+            ]
+          }
+        ],
+        "principals": {
+          "attributes": [
+            {
+              "building": "building22"
+            },
+            {
+              "building": "building23"
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
+```
+
+An example command to create a new authorization policy named `client-id-authz-policy` is:
+
+```azurecli
+az iot ops broker authn apply --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name my-authz-policy --config-file ~/client-id-authz-policy.json
+```
+
 # [Bicep](#tab/bicep)
 
 To edit an authorization policy, create a `.bicep` file with the following content. Update the settings as needed, and replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
@@ -382,6 +493,64 @@ In the broker authorization rules for your authorization policy, use the followi
 ]
 ```
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker authz apply](/cli/azure/iot/ops/broker/authz#az-iot-ops-broker-authz-apply) command to create or change an authorization policy.
+
+```azurecli
+az iot ops broker authz apply --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker <BrokerName> --name <AuthenticationResourceName> --config-file <ConfigFilePathAndName>
+```
+
+In this example, assume a configuration file named `my-authz-policy.json` with the following content stored in the user's home directory:
+
+```json
+{
+  "authorizationPolicies": {
+    "cache": "Enabled",
+    "rules": [
+      {
+        "brokerResources": [
+          {
+            "clientIds": [],
+            "method": "Connect",
+            "topics": []
+          },
+          {
+            "clientIds": [],
+            "method": "Publish",
+            "topics": [
+              "odd-numbered-orders"
+            ]
+          },
+          {
+            "clientIds": [],
+            "method": "Subscribe",
+            "topics": [
+              "orders"
+            ]
+          }
+        ],
+        "principals": {
+          "attributes": [
+            {
+              "group": "authz-sat"
+            }
+          ],
+          "clientIds": [],
+          "usernames": []
+        }
+      }
+    ]
+  }
+}
+```
+
+An example command to create a new authorization policy named `my-authz-policy` is:
+
+```azurecli
+az iot ops broker authn apply --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name my-authz-policy --config-file ~/my-authz-policy.json
+```
+
 # [Bicep](#tab/bicep)
 
 To edit an authorization policy, create a `.bicep` file with the following content. Update the settings as needed, and replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
@@ -514,6 +683,22 @@ Include the `stateStoreResources` section in the rules for your authorization po
 ]
 ```
 
+# [Azure CLI](#tab/cli)
+
+Include the `stateStoreResources` section in the rules for your authorization policy.
+
+```json
+"stateStoreResources": [
+  {
+    "method": "", // Values: read, write, readwrite 
+    "keyType": "", //Values: string, pattern, binary. Default is pattern
+    "keys": [
+      // List of patterns to match
+    ]
+  },
+]
+```
+
 # [Bicep](#tab/bicep)
 
 In Bicep, include the `stateStoreResources` section in your authorization policy.
@@ -643,6 +828,79 @@ In the broker authorization rules for your authorization policy, add a similar c
 ]
 ```
 
+# [Azure CLI](#tab/cli)
+
+In this example, assume a configuration file named `state-store-authz-policy.json` in the user's home directory. In the broker authorization rules for your authorization policy, add a similar configuration:
+
+```json
+{
+  "authorizationPolicies": {
+    "cache": "Enabled",
+    "rules": [
+      {
+        "brokerResources": [
+          {
+            "clientIds": [
+              "{principal.attributes.building}*"
+            ],
+            "method": "Connect"
+          },
+          {
+            "method": "Publish",
+            "topics": [
+              "sensors/{principal.attributes.building}/{principal.clientId}/telemetry/*"
+            ]
+          },
+          {
+            "method": "Subscribe",
+            "topics": [
+              "commands/{principal.attributes.organization}"
+            ]
+          }
+        ],
+        "principals": {
+          "attributes": [
+            {
+              "building": "17",
+              "organization": "contoso"
+            }
+          ],
+          "usernames": [
+            "temperature-sensor",
+            "humidity-sensor"
+          ]
+        },
+        "stateStoreResources": [
+          {
+            "method": "Read",
+            "keyType": "Pattern",
+            "keys": [
+              "myreadkey",
+              "myotherkey?",
+              "mynumerickeysuffix[0-9]",
+              "clients/{principal.clientId}/*"
+            ]
+          },
+          {
+            "method": "ReadWrite",
+            "keyType": "Binary",
+            "keys": [
+              "xxxxxxxxxxxxxxxxxxxx"
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+An example command to create a new authorization policy named `state-store-authz-policy` is:
+
+```azurecli
+az iot ops broker authn apply --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name my-authz-policy --config-file ~/state-store-authz-policy.json
+```
+
 # [Bicep](#tab/bicep)
 
 To edit an authorization policy, create a `.bicep` file with the following content. Update the settings as needed, and replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
@@ -774,6 +1032,20 @@ kubectl edit brokerauthorization my-authz-policies
 1. Select the broker listener you want to edit from the list.
 1. On the port where you want to disable authorization, select **None** in the authorization dropdown.
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker listener port add](/cli/azure/iot/ops/broker/listener#az-iot-ops-broker-listener-port-add) command to disable authorization for a port. To disable authentication, don't include the `--authz-ref` parameter.
+
+```azurecli
+az iot ops broker listener port add --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker default --listener <ListenerName> --port <ListenerServicePort>
+```
+
+The following example disables authorization for port 8884 to the listener named `aio-broker-loadbalancer`:
+
+```azurecli
+az iot ops broker listener port add --resource-group myResourceGroupName --instance myAioInstanceName --broker default --listener aio-broker-loadbalancer --authn-ref default --port 8884
+```
+
 # [Bicep](#tab/bicep)
 
 To disable authorization, omit `authorizationRef` in the `ports` setting of your BrokerListener resource.
