Posted on Leave a comment

How to implement Managed Identity on Service Fabric

Workloads deployed in Service Fabric clusters require Azure AD application credentials or managed identities to access Azure AD protected resources, such as Azure Key Vault and storage accounts. In case of Azure AD applications one can create a new app registration then assign permissions from Access control and finally use the client secret of this application inside the service fabric service.

If you need to enhance security and built based on well architected framework principles you can integrate managed identity authentication inside service fabric applications. Typically when you need to deploy an application on service fabric you should connect to the cluster and deploy using powershell commands. If you want to use managed identity it’s a whole different procedure and the first thing that needs to be changed is the deployment of the service inside the sf cluster.

The high level diagram can be found below.

It is mandatory to deploy the service fabric application as an arm template in order to enable managed identity. There is no other way to implement managed identity authentication except from arm templates.

In more detail there are some steps that need to be performed for the deployment:

  • some references for the user assigned managed identity should be added inside service fabric application in ServiceManifest.xml and ApplicationManifest.xml
  • the output package after the build should be bundled in a sfpkg zip format
  • the package should be uploaded in a storage account and it should be accessible from service fabric cluster (sas token)
  • an arm template should be created with some necessary information for the deployment such as application type and version, packageUrl, cluster name, managed identity name etc.
  • arm template should be applied in service fabric cluster resource group

Service fabric cluster configuration

ManagedIdentityTokenService should be enabled on Service Fabric cluster.

https://learn.microsoft.com/en-us/azure/service-fabric/configure-existing-cluster-enable-managed-identity-token-service

Azure configuration

  • Given that you have already created a user assigned Managed Identity you will need to add some references inside the service fabric application.

ApplicationManifest.xml

 <Principals>
    <ManagedIdentities>
      <ManagedIdentity Name="userassignedMI" />
    </ManagedIdentities>
  </Principals>
    <Policies>
      <IdentityBindingPolicy ServiceIdentityRef="SFServiceUser" ApplicationIdentityRef="userassignedMI" />
    </Policies>

ServiceManifest.xml

<ManagedIdentities DefaultIdentity="SFServiceUser">
    <ManagedIdentity Name="SFServiceUser" />
</ManagedIdentities>

https://learn.microsoft.com/en-us/azure/service-fabric/how-to-deploy-service-fabric-application-user-assigned-managed-identity

  • Then the appropriate RBAC should be assigned on the user assigned managed identity which is referenced inside service fabric application.

Code

In our code we can authenticate using Managed Identity instead of a connection string (DefaultAzureCredential class will automatically locate the managed identity configuration and use it).

var blobServiceClient = new BlobServiceClient( new Uri("https://storage.blob.core.windows.net"), new DefaultAzureCredential());

Deployment

The final step would be to deploy the application. Apply arm-template.json to create the SF service.

 az deployment group create --name sfdeployment --resource-group rgofsfcluster --template-file servicefabric-arm.json

Finally application will be created on service fabric cluster using arm templates supporting managed identity authentication.

Posted on Leave a comment

Build Service Fabric .NET applications with CMD and Azure DevOps

In this guide I will explain how to build a service fabric solution using cmd and also Azure DevOps to automate your deployments.

Given that you already have in place your Service Fabric solution, you should edit and add the below Target directive on your .sfproj file inside your visual studio solution.

This is needed in order to create the package that will be deployed on the service fabric cluster.

<Target Name="ForcePackageTarget" AfterTargets="Build" Condition="'$(ForcePackageTarget)' =='true'">
    <CallTarget Targets="Package"/>
  </Target>

That’s all. With this option enabled you can now perform a build using the msbuild tool. You should edit servicefabric.sln to reflect your project name.

msbuild servicefabric.sln /t:Build /p:ForcePackageTarget=true /p:Configuration=Debug /p:Platform=x64

The package output will be located on solution/pkg folder depending on your build configuration specified on the command line (Debug, Release).

In order to automate this procedure, you will have to create your pipeline and place it on your repository.

Three steps are needed in order to build your service fabric solution.

  • Firstly you should download the latest .NET version if your project targets .NET 6. If not, then you should select another version.
  • Secondly you should restore your Nuget packages on your solution in order to reference any services that come with the application.
  • The third step is the actual build using the msbuild task.

The example pipeline is shown below:

trigger:
- none

pr: none
pool:
  vmImage: windows-latest

steps:
- task: UseDotNet@2
  inputs:
    packageType: sdk
    version: '6.0.x'


- task: NuGetCommand@2
  inputs:
    command: 'restore'
    restoreSolution: '**/*.sln'
    feedsToUse: 'select'

- task: MSBuild@1
  inputs:
    solution: '**\*.sln'
    msbuildArchitecture: 'x64'
    configuration: 'release'
    msbuildArguments: '/p:ForcePackageTarget=true'
    clean: true

In order to get this pipeline working with .NET 6, you should edit Stateless1.csproj and add also LangVersion.

The output of the build will be located on pkg folder.

Finally you could create a release pipeline and upload the artifacts pkg directory on your service fabric cluster.

Microsoft Documentation for service fabric deployments:

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-package-apps

Youtube video: