Merge pull request #47788 from aljo-microsoft/patch-10

PRMerger6 · web-flow · commit 1a91750c7020 · 2018-08-18T04:00:58.000+08:00
Update service-fabric-common-questions.md
diff --git a/articles/service-fabric/service-fabric-common-questions.md b/articles/service-fabric/service-fabric-common-questions.md
@@ -24,11 +24,11 @@ There are many commonly asked questions about what Service Fabric can do and how
 
 ## Cluster setup and management
 
-### How do I rollback my Service Fabric cluster certificate?
+### How do I roll back my Service Fabric cluster certificate?
 
 Rolling back any upgrade to your application requires health failure detection prior to your Service Fabric cluster quorum committing the change; committed changes can only be rolled forward. Escalation engineer’s through Customer Support Services, may be required to recover your cluster, if an unmonitored breaking certificate change has been introduced.  [Service Fabric’s application upgrade](https://review.docs.microsoft.com/azure/service-fabric/service-fabric-application-upgrade?branch=master) applies [Application upgrade parameters](https://review.docs.microsoft.com/azure/service-fabric/service-fabric-application-upgrade-parameters?branch=master), and delivers zero downtime upgrade promise.  Following our recommended application upgrade monitored mode, automatic progress through update domains is based upon health checks passing, rolling back automatically if updating a default service fails.
  
-If your cluster is still leveraging the classic Certificate Thumbprint property in your Resource Manager template, its recommended you [Change cluster from certificate thumbprint to common name](https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-change-cert-thumbprint-to-cn), to leverage modern secrets management features.
+If your cluster is still leveraging the classic Certificate Thumbprint property in your Resource Manager template, it's recommended you [Change cluster from certificate thumbprint to common name](https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-change-cert-thumbprint-to-cn), to leverage modern secrets management features.
 
 ### Can I create a cluster that spans multiple Azure regions or my own datacenters?
 
@@ -116,6 +116,12 @@ Yes.  For more information, see [Create a cluster with attached data disks](../v
 | FabricRM.exe |
 | FileStoreService.exe |
  
+### How can my application authenticate to KeyVault to get secrets?
+The following are means for your application to obtain credentials for authenticating to KeyVault:
+
+A. During your applications build/packing job, you can pull a certificate into your SF app's data package, and use this to authenticate to KeyVault.
+B. For virtual machine scale set MSI enabled hosts, you can develop a simple PowerShell SetupEntryPoint for your SF app to get [an access token from the MSI endpoint](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/how-to-use-vm-token), and then [retrieve your secrets from KeyVault](https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/Get-AzureKeyVaultSecret?view=azurermps-6.5.0)
+
 ## Application Design
 
 ### What's the best way to query data across partitions of a Reliable Collection?
