jme783
commented
7 years ago Hey @shanselman! First off, thanks for trying out the integration and for your awesome write up. And thanks for your question.
The reason why we leave out asking for Service Connect permissions when providing shared access policy credentials is that strictly speaking, it is not required for the integration to function. Our cloud needs to be able to do 2 things on your behalf in IoT Hub:
- Create new device identities: This is what allows Particle to mirror your devices in IoT Hub.
- Send device-to-cloud messages: This is how Particle sends messages on behalf of your devices to IoT Hub.
While you are totally right that Service Connect is required for tools like the IoT Hub Explorer, it is recommended to use a different shared access policy (the iothubowner policy is what is suggested in the docs) than the policy used to configure the integration. The idea behind this was that Particle would only house secrets that do just enough and nothing more, to protect our users and practice good security hygiene.
To your question, it would probably be a good idea to be clear about this in our tutorial, adding detail to why we ask for some permissions but not others.
Does this make sense?
monkbroc
Here https://docs.particle.io/tutorials/integrations/azure-iot-hub/#create-an-azure-iot-hub it says NOT to include Service Connect permissions?
Turns out you need that if you want to do anything with IoTHub Explorer.