The model for my Service Fabric infrastructure consists of two major parts:
- Data Center (think Azure region)
- Scale Unit (think Service Fabric cluster and its child resources)
But today due to the limitation around AAD first party application we decided to add one more level on top of it:
- Global secrets (think 1PA token encryption/decryption certificate)
What means the Key Vault extension now needs to download yet another certificate from a global Key Vault. It will use User-Assigned Identity to authorize on this Key Vault. What means the Key Vault needs to have the appropriate access policies. But here’s the challenge:
- Subscription 1
- Resource Group 1 (Global Secrets)
- Global Key Vault
- Resource Group 1 (Global Secrets)
- Subscription 2
- Resource Group 2 (DC)
- Regional Key Vault
- Resource Group 3 (SU)
- Service Fabric cluster
- VMSS
- Key Vault extension runs here
- Resource Group 2 (DC)
What means the ARM template for UAID needs somehow set the access policy for in on a Key Vault not just in another resource group but in another subscription altogether. Here’s how to do that:
{ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", "contentVersion": "1.0.0.0", "parameters": { "uaidName": { "type": "string" }, "globalSecretsSubcriptionId": { "type": "string" }, "globalSecretsResourceGroupName": { "type": "string" }, "globalSecretsKvName": { "type": "string" } }, "variables": { "apiVersion": "2019-09-01", "idApiVersion": "2018-11-30", "kvApiVersion": "2019-09-01", "tenantId": "[subscription().tenantId]", "uaidRef": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaidName'))]" }, "resources": [ { "name": "[concat('KeyVault-Global-', parameters('uaidName'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "[variables('apiVersion')]", "subscriptionId": "[parameters('globalSecretsSubscriptionId')]", "resourceGroup": "[parameters('globalSecretsResourceGroupName')]", "properties": { "mode": "Incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "type": "Microsoft.KeyVault/vaults/accessPolicies", "name": "[concat(parameters('globalSecretsKvName'), '/add')]", "apiVersion": "[variables('kvApiVersion')]", "properties": { "accessPolicies": [ { "tenantId": "[variables('tenantId')]", "objectId": "[reference(variables('uaidRef'), variables('idApiVersion')).principalId]", "permissions": { "keys": [ ], "secrets": [ "Get" ], "certificates": [ "Get" ] } } ] } } ] } } } ] }