Azure-docs: Azure KeyVault example
Provide an example of how to connect secret with Azure Key Vault, please
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: d5df29c5-b630-9fc3-5eef-285b6543aecc
- Version Independent ID: 2c894551-6cee-542c-5acc-e44730ea354b
- Content: Manage Azure Service Fabric Mesh Application Secrets
- Content Source: articles/service-fabric-mesh/service-fabric-mesh-howto-manage-secrets.md
- Service: service-fabric-mesh
- GitHub Login: @aljo
- Microsoft Alias: aljo
PawelHaracz
All 3 comments
Thanks for the feedback! We are currently investigating and will update you shortly.
mimckitt
on 3 Jan 2019
@PawelHaracz I believe the process would be the same for a standard service fabric cluster as it would be for a Mesh cluster
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-secret-management
but I will assign to the author to confirm and call our this scenario in the docs.
@aljo-microsoft can you take a look?
mimckitt
on 3 Jan 2019
@PawelHaracz and @MicahMcKittrick-MSFT
Myself and the team of engineers working on SF MSI don't have a public release date yet; something similar to ACI's MSI, is being worked on, and we will have an update by build conference 2019: https://docs.microsoft.com/azure/container-instances/container-instances-managed-identity?context=azure/active-directory/managed-identities-azure-resources/context/msi-context
Until SF MSI is available, SF Cluster Operators (https://docs.microsoft.com/rest/api/servicefabric/sfrp-index) hosted on user owned virtual machines, should use Compute MSI:
Documented Here:
https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm
My public demo repo's Readme also has a documented test for Computes MSI:
https://github.com/aljo-microsoft/demo
For SF Mesh application developers, whom don't have access to the underlying hosts, or an MSI service endpoint to get a token from; SF Mesh Application dev's should provision an AAD identity, using the client ID and principle in their code, like the documentation flow on Web App's documented here:
https://docs.microsoft.com/azure/key-vault/key-vault-use-from-web-application
Deploying their Client ID and Principle to their application using the SF Mesh Secrets and Secrets/Values resource documented here:
https://docs.microsoft.com/azure/service-fabric-mesh/service-fabric-mesh-howto-manage-secrets#declare-a-mesh-secrets-resource
Effectively the SF MSI feature will do the registration in AAD for you at ARM template deployment time, and securely expose a Rest API for you to get your application level token from; avoiding the need for AAD id's to use the Secrets/Value resource, and for dev's to register their application manually with AAD.
If you are satisfied with this, please close this.
aljo-microsoft
on 3 Jan 2019
Related issues
Agazoth
·
3Comments
bdcoder2
·
3Comments
JeffLoo-ong
·
3Comments
Ponant
·
3Comments
DeepPuddles
·
3Comments
Most helpful comment
@PawelHaracz and @MicahMcKittrick-MSFT
Myself and the team of engineers working on SF MSI don't have a public release date yet; something similar to ACI's MSI, is being worked on, and we will have an update by build conference 2019: https://docs.microsoft.com/azure/container-instances/container-instances-managed-identity?context=azure/active-directory/managed-identities-azure-resources/context/msi-context
Until SF MSI is available, SF Cluster Operators (https://docs.microsoft.com/rest/api/servicefabric/sfrp-index) hosted on user owned virtual machines, should use Compute MSI:
Documented Here:
https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm
My public demo repo's Readme also has a documented test for Computes MSI:
https://github.com/aljo-microsoft/demo
For SF Mesh application developers, whom don't have access to the underlying hosts, or an MSI service endpoint to get a token from; SF Mesh Application dev's should provision an AAD identity, using the client ID and principle in their code, like the documentation flow on Web App's documented here:
https://docs.microsoft.com/azure/key-vault/key-vault-use-from-web-application
Deploying their Client ID and Principle to their application using the SF Mesh Secrets and Secrets/Values resource documented here:
https://docs.microsoft.com/azure/service-fabric-mesh/service-fabric-mesh-howto-manage-secrets#declare-a-mesh-secrets-resource
Effectively the SF MSI feature will do the registration in AAD for you at ARM template deployment time, and securely expose a Rest API for you to get your application level token from; avoiding the need for AAD id's to use the Secrets/Value resource, and for dev's to register their application manually with AAD.
If you are satisfied with this, please close this.