Managing Secrets in Service Fabric Applications

1
votes

I am following the instructions at https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-secret-management to create a data encipherment certificate and use that certificate to decipher the secrets at runtime. I added below piece of code to my ApplicationManifest.xml file to grant Network Service account read access to a certificate defined by its thumbprint.

<Principals>

<Users>

  <User Name="NetworkSvc" AccountType="NetworkService" />

</Users>

</Principals>

<Policies>

<SecurityAccessPolicies>

  <SecurityAccessPolicy ResourceRef="secretsEnciphermentCert" PrincipalRef="NetworkSvc" GrantRights="Full" ResourceType="Certificate" />

</SecurityAccessPolicies>

</Policies>

<Certificates>

<EndpointCertificate X509FindValue="thumbprintValue" Name="secretsEnciphermentCert" />

</Certificates>

Now, I am not able to deploy the package to local cluster. It always fails with these errors

Register-ServiceFabricApplicationType : Value cannot be null.

Parameter name: source

At C:\Program Files\Microsoft SDKs\Service 

Fabric\Tools\PSModule\ServiceFabricSDK\Publish-NewServiceFabricApplication.ps1:251 char:9

+         Register-ServiceFabricApplicationType -ApplicationPathInImage ...

+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     + CategoryInfo          : InvalidOperation: (Microsoft.Servi...usterConnection:ClusterConnection) [Register-Servic 

     eFabricApplicationType], FabricException

    + FullyQualifiedErrorId : RegisterApplicationTypeErrorId,Microsoft.ServiceFabric.Powershell.RegisterApplicationTyp 

    e
1
azureazure-service-fabric
If i remove below lines from Application Manifest i am able to deploy the application in local cluster but then NetworkService don't have access to the certificate defined by the thumbprint. <Policies> <SecurityAccessPolicies> <SecurityAccessPolicy ResourceRef="secretsEnciphermentCert" PrincipalRef="NetworkSvc" GrantRights="Full" ResourceType="Certificate" /> </SecurityAccessPolicies> </Policies>PradeepAgarwal

1 Answers

1
votes

You're using an EndpointCertificate certificate, while the example uses a SecretsCertificate

<ApplicationManifest … >
    <Principals>
        <Users>
            <User Name="Service1" AccountType="NetworkService" />
        </Users>
    </Principals>
  <Policies>
    <SecurityAccessPolicies>
      <SecurityAccessPolicy GrantRights=”Read” PrincipalRef="Service1" ResourceRef="MyCert" ResourceType="Certificate"/>
    </SecurityAccessPolicies>
  </Policies>
  <Certificates>
    <SecretsCertificate Name="MyCert" X509FindType="FindByThumbprint" X509FindValue="[YourCertThumbrint]"/>
  </Certificates>
</ApplicationManifest>

Also, make sure you don't have an invisible character in the thumbprint.

When copying a certificate thumbprint from the certificate store snap-in on Windows, an invisible character is placed at the beginning of the thumbprint string. This invisible character can cause an error when trying to locate a certificate by thumbprint, so be sure to delete this extra character