Service Fabric with AspNetCore User Secrets

[NArnott]

I have an existing AspNetCore application that uses User Secrets for local development. I want to get it running in Service Fabric (as well as a separate process).

It's working well, except for the fact that User Secrets does not work when running in my local SF cluster for the simple fact that SF services run as under Network Service instead of my local user even when debugging in Visual Studio, and Network Service doesn't have access to (or even knows where to look for) my secrets.json file.

I'm not sure how to get around this issue. And ideas?

[amanbha]

@NArnott As per aspnetcore documentation , the file is stored under %APPDATA%\Microsoft\UserSecrets\\secrets.json. which is tied to user profile, so process running under NETWORKSERVICE would not be able to find it (unless somehow its made available under %appdata% of NETWORKSERVICE). Service Fabric Application Secrets management explains how to manage secrets. Once you follow that, you can modify your service's code to conditionally get settings depending on some environment variable which can determine if its running inside or outside SF.

[NArnott]

@amanbha This still requires referencing the Service Fabric runtime libraries to access and decrypt the configuration settings. I don't want to reference them to my application since it will also run outside a SF environment, and that's a lot of extra baggage.

I don't know how hard it would be, but it would be nice if I could just run my local Dev cluster as my user.

[amanbha]

@NArnott Is your user account a domain account, if yes, then could you try to configure your service run as the domain account, please see https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-run-service-as-ad-user-or-group

[pksorensen]

To anyone else ending here from googling.

Your app runs under network service most likely on your dev machine.

You may add var secretPath = PathHelper.GetSecretsPathFromSecretsId(typeof(Program).Assembly.GetCustomAttribute<UserSecretsIdAttribute>().UserSecretsId); to your app to see where that stores your secret configs.

It would be like this: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\UserSecrets\

[devlie]

I tried copying secrets.json to %appdata% but still couldn't get it to work in local SF cluster. Running under domain account is not an option for me, so I tried debugging ASP.NET Core code to see what's going on.

PathHelper.GetSecretsPathFromSecretsId resolves %appdata% to C:\Windows\System32\config\systemprofile\AppData\Roaming. However, for whatever reason when UserSecretsConfigurationExtensions.AddSecretsFile method calls Directory.Exists, it gets false back, so it passes null file provider to AddJsonFile method, which ends up resolving FileProvider to SF app code package directory. It seems like SF is virtualizing %windir% away.

[devlie]

Any plan to make this work? We would like to avoid having to connect to real Key Vault when running in local cluster.

[tihobrazov]

@devlie try to add all read permissions to C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\UserSecrets\ folder for "NETWORK SERVICE" user