Skip to content
This repository has been archived by the owner on Apr 1, 2024. It is now read-only.

A walkthrough with sample on using a Service Fabric Managed Identity

License

Notifications You must be signed in to change notification settings

Azure-Samples/service-fabric-managed-identity

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

page_type languages products description urlFragment author ms.author service
sample
csharp
dotnet
End-to-end walkthrough of deploying a service fabric application with managed identities.
service-fabric-managed-identity
athinanthny, amenarde
atsenthi, anmenard
service-fabric

Getting started with Managed Identity for Service Fabric Applications

This document walks through the process of deploying a service fabric cluster to Azure with managed identity enabled, and then deploying an application that has a managed identity to that cluster. The provided sample application uses that identity to access secrets in an Azure Key Vault.

Read more about managed identity on Service Fabric

Environment Requirements

Note: All Azure resources used in the sample should be in the same region & resource group. This includes managed identity, Key Vault, Service Fabric cluster, and storage account.

Setting up Prerequisite Resources

From an elevated powershell window, run

Connect-AzAccount
Select-AzSubscription -Subscription $Subscription
# If you do not already have a resource group to create resources from this walkthrough:
New-AzResourceGroup -Name $ResourceGroupName -Location $Location

You can create the below tabled resources yourself, or use the provided ARM template to create these resources for you by opening ResourceManagement\prerequisites.parameters.json and filling out all the fields, then starting the deployment by running from a Powershell window:

 New-AzResourceGroupDeployment -TemplateParameterFile ".\prerequisites.parameters.json" -TemplateFile ".\prerequisites.template.json" -ResourceGroupName $ResourceGroupName
Resource Description
User-Assigned Managed Identity This identity will be assigned to the service fabric application
Key Vault with identity given access This keyvault will hold the cluster certificate and will be accessed by the sample application. Access policy Azure Virtual Machines for Deployment needs to be checked. The Key Vault's access policies should be configured to allow access for the managed identity
Storage Account with Blob container To deploy the application via ARM, the application package should be in a storage account. Public access level of the container needs to be set to Blob for ARM to access the storage account during deployment.
Container registry to host console service For Service Fabric to pull the containerized MISampleConsole service, it needs to be hosted in a container registry. Specific build instructions are in the walkthrough. More information on creating a containerized application in Service Fabric.

Create a cluster certificate

To deploy the cluster, a cluster certificate needs to be in Key Vault at deployment time. You can create a self-signed certificate in the portal or by running:

$Policy = New-AzKeyVaultCertificatePolicy -SubjectName $SubjectName -IssuerName Self -ValidityInMonths 12
Add-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName -CertificatePolicy $Policy

Walkthrough

Deploy a managed-identity-enabled cluster

Deploying to Azure using the Azure Resource Manager is the recommended way of managing Azure resources. Provided is a sample cluster ARM template to create a Service Fabric cluster with managed identity enabled. The template uses the cluster certificate provided by your key vault, creates a system-assigned identity, and enables the Managed Identity token service so deployed applications can access their identities.

To use the provided template:

  1. Open cluster.parameters.json and complete the fields
    • clusterLocation, adminUserName, adminPassword, sourceVaultValue, certificateUrlValue, certificateThumbprint
  2. In cluster.parameters.json, manually, or using ctrl-f and replace-all, change all instances of mi-test to a unique name, like myusername-mi-test. This will help ensure the deployment resource names do not conflict with the names of other public resources.
  3. Start the deployment by running from a Powershell window:
 New-AzResourceGroupDeployment -TemplateParameterFile ".\cluster.parameters.json" -TemplateFile ".\cluster.template.json" -ResourceGroupName $ResourceGroupName

Deploy the sample application

Application and Service Definition Changes

  1. In ApplicationManifest.xml
    1. Complete RepositoryCredentials with the credentials for your container registry
    2. Complete Vault_URI with the uri of your vault (e.g. https://mykv.vault.azure.net)
    3. Complete Secret_Name with the name of your secret
  2. In ServiceManifest.xml, complete ImageName under ContainerHost with the container repository address the image will be hosted at.
  3. In build.ps1, enter your desired image name (e.g. same as address)

Packaging and building your application

  1. Package MISampleApp and upload it to your storage account.
  2. Build the console app by running .\build.ps1 from an elevated powershell window.
    1. Please note docker should be running, and with Windows containers
  3. Push the image to your private Azure Container Repository, e.g.
    1. docker login mycr.azurecr.io
    2. docker push mycr.azurecr.io/folder/image

Deploy sample app

  1. Open app.parameters.json and complete
    • clusterName, applicationPackageURL, and userAssignedIdentityName
    • aplicationPackageUrl can be found by navigating into the blob container containing your application in your storage account, clicking into the application you would like to create, and copying the contents of URL.
  2. Start the deployment by running from a Powershell window:
 New-AzResourceGroupDeployment -TemplateParameterFile ".\app.parameters.json" -TemplateFile ".\app.template.json" -ResourceGroupName $ResourceGroupName
  1. Before the application starts running, the console app will not have access to a key vault. The application's system assigned identity is created only after the application is deployed. Once the application is deployed, the system assigned identity can be given access permission to keyvault. The system assigned identity's name is {cluster}/{application name}/{servicename}

Monitoring Secrets

MISampleApp Service Service type Managed identity it uses How to validate it is working
MISampleWeb ASP.NET Core App User-Assigned Go to the public endpoint http://mycluster.myregion.cloudapp.azure.com:80/vault
MISampleConsole Containerized C# Console App System-Assigned Remote into node running the service at my.node.ip:3389, find the running container with command docker ps, and look at the logs with docker logs

Next Steps

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

About

A walkthrough with sample on using a Service Fabric Managed Identity

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •