2

I have an application that runs in a Service Fabric(SF) cluster and I wan't to access Key Vault from it.

The cluster hosts a number of applications and I want to give access to a Key Vault for my application without giving access to the other applications. By default an application runs under the same user as the SF cluster, but each applicatiuon has it's own unique name, mine has the name fabric:/application1.

My question is, is it possible to create an Active Directory application account for fabric:/application1 and grant access to the key vault?

I know it is possible to use the RunAs options in the SF manifest, but that requires me storing an encrypted password in the manifest/source code and I want to try and avoid this if possible.

Jeff Finn
  • 1,975
  • 6
  • 23
  • 52
  • 1
    Could you check these link: https://stackoverflow.com/questions/49859477/access-key-vault-from-local-service-fabric-cluster-with-msi, https://github.com/MicrosoftDocs/azure-docs/issues/6500 ? – Thomas Oct 09 '18 at 06:01

1 Answers1

1

AFAIK,

The only way to have this flexibility is using ClientID & Secret or Service Principal certificates and each application manage their own credentials.

Service Principal Certificate is already integrated to AD, but does not require the application, the user or the Host to be part of the domain, the only requirement is setup an user on AD to grant the permissions on Keyvault.

There are other solutions using AD integration, like Managed identities for Azure resources(Former: Managed Service Identity) but I am not sure if you are able to restrict access per application like you described, because the MI add this as a service in the node, so technically other applicaitons would have access as well, worth a try to validate if you can restrict this.

If you want to try this approach, you can use with Microsoft.Azure.Services.AppAuthentication for implicit authentication of the services running in your cluster, where the nodes are setup with Managed Identities extension like described here.

Something link this: enter image description here

When you use the Microsoft.Azure.Services.AppAuthentication, the Step 2 will be handled by the library and you won't have to add much changes to your key vault auth logic.

When you run your code on an Azure App Service or an Azure VM with a managed identity enabled, the library automatically uses the managed identity. No code changes are required.

The following docs describe other options you can use for KeyVault Authentication.

PS: I've done other KeyVault integrations using Client Secrets and Certificates and they are secure enough, With Certificates you can store it on the managed store or with the application, I would recommend MI only if is a requirement for your solution.

Diego Mendes
  • 10,631
  • 2
  • 32
  • 36
  • Thanks for this, I will look into this more and try it out. For the moment I have used Run As due to project time constraints. – Jeff Finn Oct 10 '18 at 16:42
  • Diego what would be the best way to access KeyVault from an application that is not hosted in Azure? Is this possible? – Greg Quinn Jan 17 '19 at 02:47
  • Yes, it is possible, you need to setup the application in Active Directory to access KeyVault using the the Token provided by AD. See [here](https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2) and [here](https://stackoverflow.com/questions/46816697/programatically-adding-secrets-to-key-vault-in-c-sharp) – Diego Mendes Jan 21 '19 at 10:46