Cannot deploy Service Fabric .NET application to cluster on Azure with user-assigned managed identity

Question

Cannot deploy Service Fabric .NET application to cluster on Azure with user-assigned managed identity

rickystream94 opened this issue 5 years ago · 1 comments

I'm trying to deploy a .NET application to a SF cluster running on Azure on a 5 node VMSS with runtime version 6.5.676.9590. My goal is to leverage a User-Assigned ManagedIdentity to probe secrets from Azure KeyVault at runtime, more or less same way as what is being described in the sample project about Service Fabric and Managed Identities. Service Fabric application deployment via ARM template fails with "Identity <myManagedIdentityFriendlyName> is not defined in the ApplicationManifest file. FileName: ApplicationManifest".

Expected Behavior

I would expect the application to be successfully deployed to the cluster, with the Managed Identity correctly associated to the application. On Azure, the ARM deployment should also succeed.

Current Behavior

ARM deployment fails on Azure side during provisioning of the resource with type Microsoft.ServiceFabric/clusters/applications.

Steps to Reproduce

I have been following exactly the steps as shown in the sample project on GitHub and the official docs page.

Apply the required changes to the SF Application ARM template
Apply the required changes to the ApplicationManifest.xml and ServiceManifest.xml
Run an ARM deployment via PowerShell to deploy the SF application

Context (Environment)

The .NET application consists of 4 microservices, and I'm trying to associate the same user-assigned managed identity to all of them. My success criteria is to at least have an application deployed to a SF cluster that has a managed identity and that will be able to talk to the ManagedIdentityTokenService (which is already enabled on the cluster).

When the ARM deployment fails, I can see on resources.azure.com that the SF application resource is provisioned with status "Failed". The curious thing here is that I can see the "identity": {..} field on the application, but not the "managedIdentities": [...] property inside the "properties: {..}" field of the JSON resource definition. I'm wondering whether this is expected or not at this point.
On the SF cluster, I can only see the Application Type resource available, but no application instance.
I have tried multiple times, with different combinations of names on the <ManagedIdentity> tag in the ApplicationManifest.xml file, but I keep getting the same result.
I can't figure out the root cause of the error I get, because the ManagedIdentity is actually defined in the ApplicationManifest.xml file:

<Principals>
  <ManagedIdentities>
    <ManagedIdentity Name="[UserAssignedManagedIdentityFriendlyName]" />
  </ManagedIdentities>
</Principals>

According to the example above, the friendly name is passed as a parameter, but I have also tried to hardcode it and I get the same result.

Stacktrace:

System.Fabric.FabricException: Identity 'UserAssignedIdentity' is not defined in the ApplicationManifest file. FileName: ApplicationManifest

InnerException:

System.Runtime.InteropServices.COMException, Exception from HRESULT: 0x80071BE
at System.Fabric.Interop.NativeClient.IFabricApplicationManagementClient10.EndCreateApplication(IFabricAsyncOperationContext context)
at System.Fabric.Interop.Utility.<>c__DisplayClass22_0.<WrapNativeAsyncInvoke>b__0(IFabricAsyncOperationContext context)
at System.Fabric.Interop.AsyncCallOutAdapter2`1.Finish(IFabricAsyncOperationContext context, Boolean expectedCompletedSynchronously)

ExceptionMethod:

8
EndCreateApplication
System.Fabric, Version=6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
System.Fabric.Interop.NativeClient+IFabricApplicationManagementClient10
Void EndCreateApplication(IFabricAsyncOperationContext)

Service Fabric Runtime and SDK Version :

Cluster's Runtime: 6.5.676.9590
SDK not relevant, as the whole deployment operation is going through Azure.

Operating System :

Publisher: MicrosoftWindowsServer
Offer: WindowsServer
SKU: 2016-Datacenter
Version: latest

Cluster Size :

5 nodes

Possible Workaround

No currently available workaround.

Answer 1 · 2019-11-29T14:21:26.000Z

I have found a solution to my problem: apparently, what I was doing wrong was trying to reference a parameter for the ManagedIdentity Name property this way:

<Principals>
  <ManagedIdentities>
    <ManagedIdentity Name="[UserAssignedIdentityFriendlyName]" />
  </ManagedIdentities>
</Principals>

When I said I tried to hardcode it, I was not really right cause the package I had tested hadn't actually reflected my changes, but this was a separate issue.
Apparently, hardcoding the identity name made my day, and the application got deployed successfully with the MI properly recognized. I guess that referencing parameters is not supported when defining a Managed Identity.

You can close this issue.