KeyVault secret references require managed identity error

Bjorn Lievens 20 Reputation points
2023-08-09T07:54:33.66+00:00

Hi,

I followed the guidelines in this post: https://video2.skills-academy.com/en-us/azure/service-fabric/service-fabric-keyvault-references to be able to inject a managed keyvault secret into an environmental variable.

I did following steps:

  1. Enable CentralSecretService (seems to be running when looking in SFexplorer)
  2. Deploy the application with an ARM template
  3. I have "managedIdentities" under properties of the application
  4. I have "identity" of type userAssigned
  5. I inject the keyVault secret url as a parameter

In the ApplicationManifest.xml

  1. I have a ManagedIdentity in the Principals>MananagedIdentities tag
  2. The parameter specified ofcourse

Under ServiceManifestImport:

  1. I have the EnvironmentOverrides with a EnvironmentVariable of Type="ManagedKeyVaultReference"
  2. Policies tag with IdentityBindingPolicy (tried with and without, same error)

In the upgrade parameters I can see that the keyvault url is provided as a parameter and correctly expanded with the suffix for the recent version. And it has Managed Application Identity section with the correct name & principalid & a token service endpoint.

But still I get the following error:

'System.Hosting' reported Error for property 'CodePackageActivation:Code:EntryPoint:133360244693949629'.

There was an error during CodePackage activation.KeyVault secret references require managed identity

Does someone know what I'm missing?

Not much information to find on the subject online

Thanx,

Bjorn

Below the manifest & ARM template

Azure Service Fabric
Azure Service Fabric
An Azure service that is used to develop microservices and orchestrate containers on Windows and Linux.
253 questions
Accepted answer
  1. deherman-MSFT 35,011 Reputation points Microsoft Employee
    2023-08-14T15:30:18.6566667+00:00

    @Bjorn Lievens

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer.

    Error Message:

    'System.Hosting' reported Error for property 'CodePackageActivation:Code:EntryPoint:133360244693949629'. There was an error during CodePackage activation.KeyVault secret references require managed identity

    Issue:

    • Unable to inject a managed keyvault secret into an environmental variable.

    Solution:

      <Resources>
    ...
    <ManagedIdentities DefaultIdentity="WebAdmin">
      <ManagedIdentity Name="WebAdmin" />
    </ManagedIdentities>
  </Resources>

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

    If the answer has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

    Thank you for helping to improve Microsoft Q&A! User's image

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bjorn Lievens 20 Reputation points
    2023-08-09T13:42:02.2233333+00:00

    Apparently you also need to add a resource to the ServiceManfest.xml (which is not document in this documentation but in another page: https://video2.skills-academy.com/en-us/azure/service-fabric/how-to-deploy-service-fabric-application-user-assigned-managed-identity)

      <Resources>
    ...
    <ManagedIdentities DefaultIdentity="WebAdmin">
      <ManagedIdentity Name="WebAdmin" />
    </ManagedIdentities>
  </Resources>
    0 comments