Azure Service Fabric和托管服务身份
[英]Azure Service Fabric and Managed Service Identities
问题描述
I'm about the explore the use of MSI inside Service Fabric. 
我打算探讨在Service Fabric中使用MSI的方法。 I can enable MSI on the Scale Set through ARM - no problem there. 我可以通过ARM在Scale Set上启用MSI-那里没有问题。
My Service Fabric Cluster runs many applications and many of them has its own App Registration. 我的Service Fabric群集运行许多应用程序,其中许多都有自己的应用程序注册。 At the moment we have stored the clientId/secret in appmanifest for these apps. 目前,我们已经在这些应用的appmanifest中存储了clientId / secret。
With MSI I can store the credentials in keyvault and fetch the clientId/secret used for the each app, but that seem kind of wrong. 使用MSI,我可以将凭据存储在keyvault中,并获取每个应用程序使用的clientId / secret,但这似乎是错误的。
Now my question: Would it be possible to set up some kind of delegation between the MSI app registration and the apps running on the Service Fabric? 现在我的问题是:是否可以在MSI应用程序注册和Service Fabric上运行的应用程序之间建立某种委派? Just to avoid having Client Secrets stored at all 只是为了避免完全存储客户机密
1 个解决方案
解决方案1
0 已采纳 2018-03-27 13:59:15
If you are using the clientid/client secret to acquire an access token, instead maybe you allow the MSI app registration to access the other apps and then acquire tokens using the MSI principal by means of the ' on behalf of ' approach? 如果您正在使用clientid / client secret获取访问令牌,则可以允许MSI应用程序注册访问其他应用程序,然后使用MSI主体通过“ 代表 ”方法获取令牌?
Relevant code here . 相关代码在这里 。
This way you only need to know the resourceID of the service you want to call, which is not a secret. 这样,您只需要知道要调用的服务的resourceID,这不是秘密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.