I'm about the explore the use of MSI inside Service Fabric. I can enable MSI on the Scale Set through ARM - no problem there.
My Service Fabric Cluster runs many applications and many of them has its own App Registration. At the moment we have stored the clientId/secret in appmanifest for these apps.
With MSI I can store the credentials in keyvault and fetch the clientId/secret used for the each app, but that seem kind of wrong.
Now my question: Would it be possible to set up some kind of delegation between the MSI app registration and the apps running on the Service Fabric? Just to avoid having Client Secrets stored at all
If you are using the clientid/client secret to acquire an access token, instead maybe you allow the MSI app registration to access the other apps and then acquire tokens using the MSI principal by means of the 'on behalf of' approach?
Relevant code here.
This way you only need to know the resourceID of the service you want to call, which is not a secret.