Add a managed identity to a Service Fabric managed cluster node type (preview)

Each node type in a Service Fabric managed cluster is backed by a virtual machine scale set. To allow managed identities to be used with a managed cluster node type, a property vmManagedIdentity has been added to node type definitions containing a list of identities that may be used, userAssignedIdentities. Functionality mirrors how managed identities can be used in non-managed clusters, such as using a managed identity with the Azure Key Vault virtual machine scale set extension.

For an example of a Service Fabric managed cluster deployment that makes use of managed identity on a node type, see this template. For a list of supported regions, see the managed cluster FAQ.

Note

Only user-assigned identities are currently supported for this feature.

Prerequisites

Before you begin:

  • If you don't have an Azure subscription, create a free account before you begin.
  • If you plan to use PowerShell, install the Azure CLI to run CLI reference commands.

Create a user-assigned managed identity

A user-assigned managed identity can be defined in the resources section of an Azure Resource Manager (ARM) template for creation upon deployment:

{ 
    "type": "Microsoft.ManagedIdentity/userAssignedIdentities", 
    "name": "[parameters('userAssignedIdentityName')]", 
    "apiVersion": "2018-11-30", 
    "location": "[resourceGroup().location]"  
},

or created via PowerShell:

az group create --name <resourceGroupName> --location <location>
az identity create --name <userAssignedIdentityName> --resource-group <resourceGroupName>

Add a role assignment with Service Fabric Resource Provider

Add a role assignment to the managed identity with the Service Fabric Resource Provider application. This assignment allows Service Fabric Resource Provider to assign the identity to the managed cluster's virtual machine scale set.

The following values must be used where applicable:

Name Corresponding Service Fabric Resource Provider value
Application ID 74cb6831-0dbb-4be1-8206-fd4df301cdc2
Object ID fbc587f2-66f5-4459-a027-bcd908b9d278
Role definition name Role definition ID
Managed Identity Operator f1a07417-d97a-45cb-824c-7a7467783830

This role assignment can be defined in the resources section using the Object ID and role definition ID:

{
    "type": "Microsoft.Authorization/roleAssignments", 
    "apiVersion": "2020-04-01-preview",
    "name": "[parameters('vmIdentityRoleNameGuid')]",
    "scope": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities', '/', parameters('userAssignedIdentityName'))]",
    "dependsOn": [ 
        "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedIdentityName'))]"
    ], 
    "properties": {
        "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]",
        "principalId": "fbc587f2-66f5-4459-a027-bcd908b9d278" 
    } 
}, 

or created via PowerShell using either the application ID and role definition ID:

New-AzRoleAssignment -ApplicationId 74cb6831-0dbb-4be1-8206-fd4df301cdc2 -RoleDefinitionName "Managed Identity Operator" -Scope "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<userAssignedIdentityName>"

or object ID and role definition ID:

New-AzRoleAssignment -PrincipalId fbc587f2-66f5-4459-a027-bcd908b9d278 -RoleDefinitionName "Managed Identity Operator" -Scope "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<userAssignedIdentityName>"

Add managed identity properties to node type definition

Finally, add the vmManagedIdentity and userAssignedIdentities properties to the managed cluster's node type definition. Be sure to use 2021-01-01-preview or later for the apiVersion.


 {
    "type": "Microsoft.ServiceFabric/managedclusters/nodetypes",
    "apiVersion": "2021-01-01-preview",
    ...
    "properties": {
        "isPrimary" : true,
        "vmInstanceCount": 5,
        "dataDiskSizeGB": 100,
        "vmSize": "Standard_D2_v2",
        "vmImagePublisher" : "MicrosoftWindowsServer",
        "vmImageOffer" : "WindowsServer",
        "vmImageSku" : "2019-Datacenter",
        "vmImageVersion" : "latest",
        "vmManagedIdentity": {
            "userAssignedIdentities": [
                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"
            ]
        }
    }
}

After deployment, the created managed identity has been added to the designated node type's virtual machine scale set and can be used as expected, just like in any non-managed cluster.

Troubleshooting

Failure to properly add a role assignment will be met with the following error on deployment:

Azure portal deployment error showing the client with SFRP's object/application ID not having permission to perform identity management activity

Next Steps