Reputation: 4001
How can I add Managed Service Identity to a container hosted inside Azure VM Scaleset or Service Fabric?
I want to utilize MSI e.g. to access KeyVault in applications (in particular for me: Azure Functions runtime) hosted inside containers which are hosted in a Azure Service Fabric VMSS.
What do I need to do to achieve this?
Upvotes: 1
Views: 1995
Answers (1)
Reputation: 4001
based on a hint on this issue:
Step 1 - add identity to VMSS
Extend ARM template for clusters Microsoft.Compute/virtualMachineScaleSets resource. Add identity element on the root level of the resource , like with properties
...
"identity": {
"type": "SystemAssigned"
},
...
(Re-)deploy the cluster.
Step 2 - add routing to containers
In Windows containers the routing to the MSI endpoint is not working by default. For that I added an entry script e.g. Entry.PS1 (do not forget to add the original ENTRYPOINT of your container - ServiceMonitor.exe in my case because I have an IIS container):
Write-Host "adding route for Managed Service Identity"
$gateway = (Get-NetRoute | Where-Object {$_.DestinationPrefix -eq '0.0.0.0/0'}).NextHop
$arguments = 'add','169.254.169.0','mask','255.255.255.0',$gateway
&'route' $arguments
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net%2F' -Method GET -Headers @{Metadata="true"} -UseBasicParsing
Write-Host "MSI StatusCode :" $response.StatusCode
C:\ServiceMonitor.exe w3svc
and modified the Dockerfile / containers ENTRY:
...
ENTRYPOINT ["powershell.exe","C:\\entry.PS1"]
Background: adding the
route addnot at entry point level will execute the statement at build time and add the route to the build host/container
Step 3 - optional re-image VMSS nodes
However I still experienced a problem with an existing cluster. When acessing the token endpoint with
Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net%2F' -Method GET -Headers @{Metadata="true"} -UseBasicParsing
I still got this error
Invoke-WebRequest : Unable to connect to the remote server
At line:1 char:1
+ Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oaut ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
to fix this I had to re-image the VMSS nodes
Upvotes: 6
Related Questions
- Using Azure Managed Identity in a Docker container running on an Azure VM
- How to enable managed identity for the virtual machine scale set on a terraform kubernetes deploy
- Right way to add Managed Identity to Azure service fabric
- Using Azure Web App for Containers with managed identity
- Azure Managed Identity from within a docker container running locally
- Azure Managed Service Identity endpoint missing in App Service for Containers
- How To Set Azure Container Instance Managed Service Identity Arguments With .Net Fluent SDK
- MSI / Managed Service Identity) for Service Fabric Cluster
- Adding certificates to Azure VM Scale Set
- How to add a Certificate to an azure service fabric cluster vmset