stackoom
  简体   繁体   中英

Access Key Vault on Azure Service Fabric app using Azure Active Directory on different tenant

 原文  2021-04-29 11:32:49       azure/ azure-active-directory/ azure-service-fabric/ azure-keyvault/ azure-security

Question

I have Azure service fabric cluster in tenantA which needs to connect to Azure key vault in tenantB to load up some of the connection strings required for its applications hosted on it

Thought of trying out the below set-up:

  1. to establish the handshake between the service fabric cluster in tenantA and Azure key vault in tenantB is by using Azure AD Application belongs to tenantB .

  2. configure Azure AD Application ID which belongs to tenantB to Azure service fabric application config in tenantA

  3. add Azure AD Application ID to the access policy of Azure key vault in tenantB

With this setup, will handshake between Azure service fabric cluster and Azure key vault happen?

(or)

Azure service fabric cluster, Azure key vault & Azure AD application have to be in same tenant?

2 answers

solution1
 0  2021-04-30 09:25:20

With this setup, will handshake between Azure service fabric cluster and Azure key vault happen?

It will not work, when you add the tenantB AD App Application ID to the access policy of Azure key vault in tenantB, essentially you add the service principal corresponded to the AD App to the keyvault. A service principal is a specific instance for an AD App in one tenant, it just works for the tenant which it located.

Even you consent the tenantB AD App to tenantA via the admin consent URL , it just generates a new service principal(enterprise application) in tenantA, which is not the same object as that you added in keyvault, an AD App has a 1:many relationship with its corresponding service principal.

Azure service fabric cluster, Azure key vault & Azure AD application have to be in same tenant?

Not exactly, but at least the service fabric cluster and key vault need to be in the same tenant, the AD App can be in another tenant, but it should be a multi-tenant app , then you need to consent it to the tenant of keyvault and service fabric cluster as mentioned above, then add the new generated service principal to the access policy before using it in service fabric cluster. If you not very familiar with Azure AD, it will be a little complex, so I recommend you to use them in the same tenant.

For more details about the relationship between AD Application and service principal, see this link .

solution2
 0 ACCPTED  2021-05-03 20:13:37

As long as the Application Id used to access the Key Vault is in the same tenant as the Key Vault, the application can run from anywhere. The application (with application id) will acquire an access token from its own tenant and then use that to access the Key Vault. The environment executing the code can have identities from multiple tenants when using an application id and secret.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using Azure Active Directory with Azure Key Vault Unable to get access to Key Vault using Azure MSI on App Service Accessing Key vault in Azure active directory App registration Using Azure Key Vault and Active Directory to Retrieve Secrets Azure Key Vault reference in Azure App Service How to access key vault from azure app service Azure : Error using certificate obtained from Key Vault in App Service Import Azure key vault certificate to app service using powershell? How do I authorize one Azure Active Directory app to access a different AAD App Service Web API using a Bearer token? Azure certificate in Key Vault not valid for app service
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM