Merge pull request #99899 from megvanhuygen/service-fabric-application-secret-store

ShawnJackson · web-flow · commit 55ed3e958c02 · 2020-01-14T16:01:48.000-06:00
Edit pass: Service Fabric Secrets Store
diff --git a/articles/service-fabric/service-fabric-application-secret-store.md b/articles/service-fabric/service-fabric-application-secret-store.md
@@ -1,16 +1,16 @@
 ---
-title: Service Fabric Secrets Store 
-description: This article describes how to use Service Fabric Secrets Store.
+title: Azure Service Fabric Central Secrets Store 
+description: This article describes how to use Central Secrets Store in Azure Service Fabric.
 
 ms.topic: conceptual 
 ms.date: 07/25/2019
 ---
 
-#  Service Fabric Secrets Store
-This article describes how to create and use secrets in Service Fabric applications using Service Fabric Secrets Store(CSS). CSS is a local secret store cache, used to keep sensitive data such as a password, tokens, and keys encrypted in memory.
+# Central Secrets Store in Azure Service Fabric 
+This article describes how to use Central Secrets Store (CSS) in Azure Service Fabric to create secrets in Service Fabric applications. CSS is a local secret store cache that keeps sensitive data, such as a password, tokens, and keys, encrypted in memory.
 
-## Enabling Secrets Store
- Add the below to your cluster configuration under `fabricSettings` to enable CSS. It's recommended to use a certificate different from cluster certificate for CSS. Make sure the encryption certificate is installed on all nodes and `NetworkService` has read permission to certificate's private key.
+## Enable Central Secrets Store
+Add the following script to your cluster configuration under `fabricSettings` to enable CSS. We recommend that you use a certificate other than a cluster certificate for CSS. Make sure the encryption certificate is installed on all nodes and that `NetworkService` has read permission to the certificate's private key.
   ```json
     "fabricSettings": 
     [
@@ -42,10 +42,14 @@ This article describes how to create and use secrets in Service Fabric applicati
         ...
      ]
 ```
-## Declare secret resource
-You can create a secret resource either using the Resource Manager template or using the REST API.
+## Declare a secret resource
+You can create a secret resource by using either the Azure Resource Manager template or the REST API.
+
+### Use Resource Manager
+
+Use the following template to use Resource Manager to create the secret resource. The template creates a `supersecret` secret resource, but no value is set for the secret resource yet.
+
 
-* Using Resource Manager template
 ```json
    "resources": [
       {
@@ -62,20 +66,20 @@ You can create a secret resource either using the Resource Manager template or u
         }
       ]
 ```
-The above template creates `supersecret` secret resource, but no value is set for the secret resource yet.
 
-* Using the REST API
+### Use the REST API
 
-To create secret resource, `supersecret` make a PUT request to `https://<clusterfqdn>:19080/Resources/Secrets/supersecret?api-version=6.4-preview`. You need the cluster certificate or admin client certificate to create a secret.
+To create a `supersecret` secret resource by using the REST API, make a PUT request to `https://<clusterfqdn>:19080/Resources/Secrets/supersecret?api-version=6.4-preview`. You need the cluster certificate or admin client certificate to create a secret resource.
 
 ```powershell
 Invoke-WebRequest  -Uri https://<clusterfqdn>:19080/Resources/Secrets/supersecret?api-version=6.4-preview -Method PUT -CertificateThumbprint <CertThumbprint>
 ```
 
-## Set secret value
-* Using Resource Manager template
+## Set the secret value
+
+### Use the Resource Manager template
 
-The below Resource Manager template creates and set value for secret `supersecret` with version `ver1`.
+Use the following Resource Manager template to create and set the secret value. This template sets the secret value for the `supersecret` secret resource as version `ver1`.
 ```json
   {
   "parameters": {
@@ -113,67 +117,68 @@ The below Resource Manager template creates and set value for secret `supersecre
     }
   ],
   ```
-* Using the REST API
+### Use the REST API
 
+Use the following script to use the REST API to set the secret value.
 ```powershell
 $Params = @{"properties": {"value": "mysecretpassword"}}
 Invoke-WebRequest -Uri https://<clusterfqdn>:19080/Resources/Secrets/supersecret/values/ver1?api-version=6.4-preview -Method PUT -Body $Params -CertificateThumbprint <ClusterCertThumbprint>
 ```
-## Using the secret in your application
-
-1.  Add a section in settings.xml file with the below content. Note here the Value is of the format {`secretname:version`}
-
-```xml
-  <Section Name="testsecrets">
-   <Parameter Name="TopSecret" Type="SecretsStoreRef" Value="supersecret:ver1"/
-  </Section>
-```
-2. Now import the section in ApplicationManifest.xml
-```xml
-  <ServiceManifestImport>
-    <ServiceManifestRef ServiceManifestName="testservicePkg" ServiceManifestVersion="1.0.0" />
-    <ConfigOverrides />
-    <Policies>
-      <ConfigPackagePolicies CodePackageRef="Code">
-        <ConfigPackage Name="Config" SectionName="testsecrets" EnvironmentVariableName="SecretPath" />
-        </ConfigPackagePolicies>
-    </Policies>
-  </ServiceManifestImport>
-```
-
-Environment Variable 'SecretPath' will point to the directory where all secrets are stored. Each parameter listed under section `testsecrets` will be stored in a separate file. Application can now use the secret as shown below
-```C#
-secretValue = IO.ReadFile(Path.Join(Environment.GetEnvironmentVariable("SecretPath"),  "TopSecret"))
-```
-3. Mounting secrets to a container
-
-Only change required to make the secrets available inside the container is to specify a MountPoint in `<ConfigPackage>`.
-Here is the modified ApplicationManifest.xml  
-
-```xml
-<ServiceManifestImport>
-    <ServiceManifestRef ServiceManifestName="testservicePkg" ServiceManifestVersion="1.0.0" />
-    <ConfigOverrides />
-    <Policies>
-      <ConfigPackagePolicies CodePackageRef="Code">
-        <ConfigPackage Name="Config" SectionName="testsecrets" MountPoint="C:\secrets" EnvironmentVariableName="SecretPath" />
-        <!-- Linux Container
-         <ConfigPackage Name="Config" SectionName="testsecrets" MountPoint="/mnt/secrets" EnvironmentVariableName="SecretPath" />
-        -->
-      </ConfigPackagePolicies>
-    </Policies>
-  </ServiceManifestImport>
-```
-Secrets will be available under the mount point inside your container.
+## Use the secret in your application
+
+Follow these steps to use the secret in your Service Fabric application.
+
+1. Add a section in the **settings.xml** file with the following snippet. Note here that the value is in the format {`secretname:version`}.
+
+   ```xml
+     <Section Name="testsecrets">
+      <Parameter Name="TopSecret" Type="SecretsStoreRef" Value="supersecret:ver1"/
+     </Section>
+   ```
+
+1. Import the section in **ApplicationManifest.xml**.
+   ```xml
+     <ServiceManifestImport>
+       <ServiceManifestRef ServiceManifestName="testservicePkg" ServiceManifestVersion="1.0.0" />
+       <ConfigOverrides />
+       <Policies>
+         <ConfigPackagePolicies CodePackageRef="Code">
+           <ConfigPackage Name="Config" SectionName="testsecrets" EnvironmentVariableName="SecretPath" />
+           </ConfigPackagePolicies>
+       </Policies>
+     </ServiceManifestImport>
+   ```
+
+   The environment variable `SecretPath` will point to the directory where all secrets are stored. Each parameter listed under the `testsecrets` section is stored in a separate file. The application can now use the secret as follows:
+   ```C#
+   secretValue = IO.ReadFile(Path.Join(Environment.GetEnvironmentVariable("SecretPath"),  "TopSecret"))
+   ```
+1. Mount the secrets to a container. The only change required to make the secrets available inside the container is to `specify` a mount point in `<ConfigPackage>`.
+The following snippet is the modified **ApplicationManifest.xml**.  
+
+   ```xml
+   <ServiceManifestImport>
+       <ServiceManifestRef ServiceManifestName="testservicePkg" ServiceManifestVersion="1.0.0" />
+       <ConfigOverrides />
+       <Policies>
+         <ConfigPackagePolicies CodePackageRef="Code">
+           <ConfigPackage Name="Config" SectionName="testsecrets" MountPoint="C:\secrets" EnvironmentVariableName="SecretPath" />
+           <!-- Linux Container
+            <ConfigPackage Name="Config" SectionName="testsecrets" MountPoint="/mnt/secrets" EnvironmentVariableName="SecretPath" />
+           -->
+         </ConfigPackagePolicies>
+       </Policies>
+     </ServiceManifestImport>
+   ```
+   Secrets are available under the mount point inside your container.
+
+1. You can bind a secret to a process environment variable by specifying `Type='SecretsStoreRef`. The following snippet is an example of how to bind the `supersecret` version `ver1` to the environment variable `MySuperSecret` in **ServiceManifest.xml**.
+
+   ```xml
+   <EnvironmentVariables>
+     <EnvironmentVariable Name="MySuperSecret" Type="SecretsStoreRef" Value="supersecret:ver1"/>
+   </EnvironmentVariables>
+   ```
 
-4. Binding secret to an environment variable 
-
-You can bind secret to a process environment variable by specifying Type='SecretsStoreRef'. Here is an example of how to bind `supersecret` version `ver1` to environment variable `MySuperSecret` in ServiceManifest.xml.
-
-```xml
-<EnvironmentVariables>
-  <EnvironmentVariable Name="MySuperSecret" Type="SecretsStoreRef" Value="supersecret:ver1"/>
-</EnvironmentVariables>
-```
 ## Next steps
-Learn more about [application and service security](service-fabric-application-and-service-security.md)
+Learn more about [application and service security](service-fabric-application-and-service-security.md).
