Using Azure key vault as secret store for service fabric

[ahmagdy]

Hi I was wondering if there is a way to use Azure Key Vault as a secret store instead of using the encrypted XML files. I searched in the docs and i didn't find any helpful information about doing that and if it possible or not. Thanks.

[dragav]

@stevshan

We are currently working on supporting application secrets declared as KeyVault references. In the meantime, you could use one of these options:

• if you own the VMSS and fully trust all the code running on it, then you can use its managed identity to access the vault (and obtain access tokens from your SF application). Here is an intro to Managed Identities. There is also a VM(SS) extension that can retrieve certificates from a vault for you: KeyVault VM extension

• set up your own "managed identity": manually create an AAD app, generate credentials for it, provision its credentials onto the VMSS at deployment time (as a VMSS secret), and then use those credentials to obtain an auth token for the vault. Probably not worth the hassle, listing it here for completeness.

[ahmagdy]

@dragav Thanks Dragos.

[lgoncalv]

Hi @dragav , is there an issue number I can follow to track this feature?

Thanks

[dragav]

@tijoytom

@lgoncalv No, this tracked internally. However, it is scheduled to be released with the upcoming SF 7.0 release. SF also supports managed identities for SF apps now.