Since there is no straight forward way to add Managed Identity directly to the Azure service fabric, thinking of adding Managed Identity instead to the Azure VM Scaleset Instance which is in turn managed by the intended Azure service fabric instance. So that the Service Fabric applications (which eventually get deployed to those VMs of the Azure VM Scaleset Instance) can leverage Managed Identity provisioned for the Azure VM Scale set Instance, to access other Azure resources like Azure Key vault etc.
Is this right way of creating managed identity for the Azure service fabric applications? (or) is there any way of enabling managed identity for the Azure service fabric using Powershell or Azure portal?
Is there any way to restrict, Managed Identity only to certain application in Azure service fabric cluster but to not all applications?
Please clarify.
Is this right way of creating managed identity for the Azure service fabric applications? (or) is there any way of enabling managed identity for the Azure service fabric using Powershell or Azure portal?
Yes, it should be the right way, you could leverage the MSI(managed identity) of VMSS to access the azure resources. The doc also mentions the same way - Authenticate Service Fabric applications to Azure Resources using Managed Service Identity (MSI), it provides a way of ARM template to enable the MSI.
To enable the MSI of VMSS via powershell or portal, you could refer to
Note: Before you use the MSI to access Azure resources, you need to grant the correct RBAC roles to the MSI at the resource scope. For Azure keyvault, you need to add the MSI to the access policy.
Is there any way to restrict, Managed Identity only to certain application in Azure service fabric cluster but to not all applications?
No, you can't. When the MSI is enabled for the VMSS, it will apply to all the applications in the VMSS.
If you want to restrict the MSI only to a certain application, you may need to deploy Service Fabric application with system-assigned or User-Assigned managed identity, use the MSI of application instead of VMSS, make sure enable the Managed Identity Token Service on the cluster firstly.