service-fabric icon indicating copy to clipboard operation
service-fabric copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Question Service Fabric - Getting Secrets inside containers

Open nareshkhatri81 opened this issue 7 years ago • 3 comments

Team,

i was looking in to service fabric secret mgmt. https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-secret-management

i am thinking is it possible to use this inside containers ? it uses certificate for encryption and decryption which are stored on host. As containers runs in its own isolation, will they be able to retrieve secrets ?

ConfigurationPackage configPackage = this.Context.CodePackageActivationContext.GetConfigurationPackageObject("Config"); SecureString mySecretValue = configPackage.Settings.Sections["MySettings"].Parameters["MySecret"].DecryptValue()

do we need to install certificate inside containers for decryption to work ?

Thanks, Naresh Khatri

nareshkhatri81 avatar Apr 12 '18 05:04 nareshkhatri81

There is an issue with the exported cert https://github.com/Azure/service-fabric-issues/issues/448 that is fixed in 6.2. Meanwhile, adopt the second approach highlighted in the doc:

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-securing-containers

mani-ramaswamy avatar Apr 17 '18 16:04 mani-ramaswamy

@mani-ramaswamy - Thanks for providing information about export certificate inside containers. @rakshitatandon - I have few questions. Once we export certificate inside containers which C#APi we should use to Decryptsecrets using certificate ?

for Decrypt secrets inside containers, this is api which is mentioned in https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-secret-management

ConfigurationPackage configPackage = this.Context.CodePackageActivationContext.GetConfigurationPackageObject("Config"); SecureString mySecretValue = configPackage.Settings.Sections["MySettings"].Parameters["MySecret"].DecryptValue()

We dont have SF runtime context inside containers so above API will not work ? or is there way to get SF runtime context inside containers ?

Powershell which encrypt secret is

Invoke-ServiceFabricEncryptText -CertStore -CertThumbprint "" -Text "mysecret" -StoreLocation CurrentUser -StoreName My

can i get corresponding C# API to Decrypt secrets inside containers ? which algorithm is used by Encrypt powershell api ?

Thanks, Naresh Khatri

nareshkhatri81 avatar Apr 17 '18 16:04 nareshkhatri81

Greatly depends on the type of secret and the pattern that you're using. @dragav and @erikadoyle to confirm that the docs list current best practices. I don't think that normally we would be expecting you to use the "secret encrypted in config" pattern with containers, especially in Azure, where better models exist now.

masnider avatar Oct 23 '19 17:10 masnider