Deploy application into Azure Service Fabric with VSTS and AAD

This article is about enabling Service Fabric Cluster (SFC) in Azure for use with AAD (Azure Active Directory) authentication.

My Setup is as follows

I used VSTS (Visual Studio Team Services), where I built up a release, that cares for deployment of SFC. So to get everything working, you first need a Cluster Endpoint configuration, that allows VSTS to deploy an application into SFC.
To get this right, you can choose from two main possibilities: Certificate-Auth or AAD-Auth
If you like to choose Certificate Auth., than you should read this article here: Deploy Azure Service Fabric Application with VSTS (it’s written by Mike Kaufmann a friend of mine and a MVP for ALM/DevOps).

If you like to choose AAD-Auth, then this is, what you are looking for….

First you have to grab a Powershell-Script, that creates some App registration for you (you could do this by hand, but for being consistent the script is the better choice) [Create a Service Fabric cluster by using Azure Resource Manager (Microsoft Docs) – paragraph  “Set up Azure Active Directory for client authentication”] or simply click this here Download Script, but read this article, to get everything, you should know here.

This generates two App-regs:
ttservicescluster_Cluster and ttservicescluster_client.

 

By the way, it is important, to grab the output of the script, because you need the GUIDs, to setup your cluster access with these J

Now, you have to assign user to the corresponding App

First go to AAD and look for the “Cluster” App registration.

Then, go to that app (Yes there is also another way, to go there…. By using “Enterprise Application”-Menu in AAD)

After opening the App, you can add users or groups (in my case, I added a user)

At least, you have to set the needed right/role, for accessing the SFC (Admin is the right choiceJ )

Having that done, we can concentrate on setting up Cluster Endpoint for Application deployment over VSTS

For doing this, you have to open VSTS Service Tab

… and click dropdown “New Service Endpoint” for creating a cluster endpoint

Fill out as below in the picture and click OK

Now, you are ready, to deploy apps to your cluster.

If this was helpfull, or lacks from Details, please let me know.

The client ‘{0}’ with object id ‘{1}’ does not have authorization to perform action ‘Microsoft.ServiceFabric/register/action’ over scope ‘/subscriptions/{2}’

For an enterprise customer, I hat do develop a solution, that is build in the Cloud (Microsoft’s Cloud Azure). In that project I had the following setup:

For Build & Release, VSTS (Visual Studio Team Services) is used. For deploying bits to Azure I built up a release, that should setup a basic architecture in Azure.
For accessing Azure from VSTS, an IT responsible of that company, created a Service Principal (SP), that can access Azure resources and added that guy as VSTS Endpoint Service.

Now, one of those architecture components is Service Fabric. After creating the Release definition and the scripts in Azure CLI 2.0 I tried to get things working. But unfortunately, the release stopped with following error message:

… ok, maybe I have to register the namespace manually (usually not, but how really knows 😉 ), so I used the following command, before creating service fabric cluster:

and this led to following error:

The client ‘{0}’ with object id ‘{1}’ does not have authorization to perform action ‘Microsoft.ServiceFabric/register/action’ over scope ‘/subscriptions/{2}’

Hm…, was not, what I hoped to get, but expected K ! Are there any account problems? Using a foreign subscription with limited access could be the cause! So I did some investigation on how the SP was created, set up and assigned to VSTS.

And, yeah, this was the right track. It became apparent that the SP was created only in AAD with sufficient rights, but it was not assigned as subscription-user, with contribute rights. After proper configuration, everything worked like a charm.

Hope this is also a solution for you?!