11

I want to access the Key Vault from my Service Fabric application via Managed Service Identity (MSI). I have enabled MSI on the virtual machine scale set in the Azure Portal and given it access to my Key Vault resource. This works like a charm up in the cloud. However, I am having problems with my local develop environment.

As far as I understand, I can grant myself access to the Key Vault and run az login in Azure CLI. Alas, this doesn't work when running the application in a local Service Fabric cluster. I assume it is because a local cluster runs under the NETWORK SERVICE account.

How can I access the Key Vault from my local cluster with MSI?

Mikko
  • 145
  • 1
  • 6

2 Answers2

4

I am assuming you are using the Microsoft.Azure.Services.AppAuthentication library to get a token using MSI to authenticate to Key Vault, and this is working on Azure. If so, you can run the same exact code on local development environment. The library will automatically switch to using MSI on Azure. You can find documentation here

Note: Local development for MSI scenarios is much easier when developing applications that run under the current user, e.g. App Services. In such cases you can use Azure CLI/ Visual Studio account for local development. You do not need to create a separate service principal. Azure CLI/ Visual Studio do not work for Service Fabric local development, since local cluster runs under Network Service account.

For Service Fabric scenarios, please follow these steps:

  1. Create a service principal and give access to Key Vault. You have two options. Certificate is better w.r.t security, but slightly harder to do.

    Option 1: Create a service principal with a certificate. Make sure you give Network Service account or whatever account is used to run fabric locally access to the certificate. Refer for details on how to give access.

    OR

    Option 2: Create a service principal with a password

  2. Create an environment variable called “AzureServicesAuthConnectionString”. Refer this on creating environment variables for service fabric.

    If using certificate, set "AzureServicesAuthConnectionString" to

    RunAs=App;AppId={AppId};TenantId={TenantId};CertificateThumbprint= {Thumbprint};CertificateStoreLocation={LocalMachine or CurrentUser}

    If using password, set "AzureServicesAuthConnectionString" to

    RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={ClientSecret}

If above steps do not work, please post the error you get.

Varun Sharma
  • 568
  • 4
  • 5
  • Thank you for your answer. This is exactly what I've been trying to setup. I wasn't aware of how to create environment variables in Service Fabric. So it is probably the puzzle piece I'm missing. I'll try it out later. – Mikko Apr 19 '18 at 10:46
  • I have now tried this suggested solution and it works. I just want to highlight that for TennantId I used the Directory ID of the Azure active directory. Thank you Varun :) – Mikko Apr 24 '18 at 06:20
  • I am facing a similar issue where I am not able to hit key vault from service fabric cluster from Network Service account. I have added under ApplicationManifest.xml Principal user for NetworkService. Added SecurityAccessPolicies for ResourceType Certificate and GrantRights="Full". Finally linked them to SecretsCertificates. Am I missing anything? I still get "Access Denied" exception from key vault client. If I run the test code in unit test I does not fail, since the required cert is installed on local machine. – Aditya Gaykar Apr 24 '18 at 17:56
  • Have you set thing up in the Azure Active Directory? If not, in the Azure portal you can navigate to the AD and register a new application. Once it's created, open it and upload your certificate to it. Then you need to give the application access to the Key Vault. Go to the Key Vault resource and open access control. Add your application as a contributor. Then open access policies and add the application there also. – Mikko Apr 26 '18 at 11:48
  • @AdityaGaykar, please use the AzureServiceTokenProvider's PrincipalUsed property to check what is being used to authenticate. This should show that the cert is being used, and not integrated windows authentication (network service account). PrincipalUser.CertificateThumbprint should have the thumbprint of the cert used. – Varun Sharma Apr 27 '18 at 14:56
  • I am getting: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App;AppId=xxxxxxx;TenantId=xxxxx;CertificateThumbprint=xxxxxxx;CertificateStoreLocation=CurrentUser, Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxx. Exception Message: Specified certificate was not found. Is it because its not able to access cert store locally or no certificate was found associated with the app id ? I do see the certificate associated with the app in Azure AD. – Frank Q. Oct 17 '19 at 00:28
0

Managed Service Identity is focused on resources that are running on Azure. We don't have a way to support local development environments.

Thanks, -Arturo

Arturo Lucatero - MSFT
  • 291
  • 1
  • 9
  • 5
    Ok, but this is not exactly a satisfying answer. What should I rather do instead? I've done some research based on the link that you posted earlier but now removed. I figured out that MSI is limited to resources up in Azure but with the AppAuthentication preview API I should be able to access Key Vault through other means. – Mikko Apr 18 '18 at 08:26
  • Neither Visual Studio nor Azure CLI authentication seems to work for a local Service Fabric Cluster. The docs [link](https://learn.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#running-the-application-using-a-service-principal) says it should work by using a Service Principal. Had no luck setting it up so far though. Will a Service Principal work for a local Service Fabric environment? And do you have any more details on how to set it up? – Mikko Apr 18 '18 at 08:26