管理Service Fabric应用程序中的秘密 [英] Managing Secrets in Service Fabric Applications
问题描述
我正在按照 https://docs.microsoft.com/zh-cn/azure/service-fabric/service-fabric-application-secret-management 创建数据加密证书,并在运行时使用该证书解密机密. 我在ApplicationManifest.xml文件中添加了以下代码,以授予Network Service帐户对由其指纹定义的证书的读取权限.
I am following the instructions at https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-secret-management to create a data encipherment certificate and use that certificate to decipher the secrets at runtime. I added below piece of code to my ApplicationManifest.xml file to grant Network Service account read access to a certificate defined by its thumbprint.
<Principals>
<Users>
<User Name="NetworkSvc" AccountType="NetworkService" />
</Users>
</Principals>
<Policies>
<SecurityAccessPolicies>
<SecurityAccessPolicy ResourceRef="secretsEnciphermentCert" PrincipalRef="NetworkSvc" GrantRights="Full" ResourceType="Certificate" />
</SecurityAccessPolicies>
</Policies>
<Certificates>
<EndpointCertificate X509FindValue="thumbprintValue" Name="secretsEnciphermentCert" />
</Certificates>
现在,我无法将程序包部署到本地群集.总是会因这些错误而失败
Now, I am not able to deploy the package to local cluster. It always fails with these errors
Register-ServiceFabricApplicationType : Value cannot be null.
Parameter name: source
At C:\Program Files\Microsoft SDKs\Service
Fabric\Tools\PSModule\ServiceFabricSDK\Publish-NewServiceFabricApplication.ps1:251 char:9
+ Register-ServiceFabricApplicationType -ApplicationPathInImage ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Servi...usterConnection:ClusterConnection) [Register-Servic
eFabricApplicationType], FabricException
+ FullyQualifiedErrorId : RegisterApplicationTypeErrorId,Microsoft.ServiceFabric.Powershell.RegisterApplicationTyp
e
推荐答案
您正在使用EndpointCertificate
证书,而示例中使用的是SecretsCertificate
You're using an EndpointCertificate
certificate, while the example uses a SecretsCertificate
<ApplicationManifest … >
<Principals>
<Users>
<User Name="Service1" AccountType="NetworkService" />
</Users>
</Principals>
<Policies>
<SecurityAccessPolicies>
<SecurityAccessPolicy GrantRights="Read" PrincipalRef="Service1" ResourceRef="MyCert" ResourceType="Certificate"/>
</SecurityAccessPolicies>
</Policies>
<Certificates>
<SecretsCertificate Name="MyCert" X509FindType="FindByThumbprint" X509FindValue="[YourCertThumbrint]"/>
</Certificates>
</ApplicationManifest>
此外,请确保您在指纹中没有不可见的字符.
Also, make sure you don't have an invisible character in the thumbprint.
从证书存储区复制证书指纹时 在Windows上的管理单元中,在开头放置了一个不可见的字符 指纹字符串.这个不可见的字符可能会导致错误 尝试通过指纹查找证书时,请确保 删除这个多余的字符
When copying a certificate thumbprint from the certificate store snap-in on Windows, an invisible character is placed at the beginning of the thumbprint string. This invisible character can cause an error when trying to locate a certificate by thumbprint, so be sure to delete this extra character
这篇关于管理Service Fabric应用程序中的秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!