Referencing Key Vault secrets in a new Container App

[AndersSahlin]

I am creating a new Container App and Key Vault using a Bicep template. I want the Container App to contain a secret that is referencing a Key Vault secret (password to Container registry). I want the Container App to authenticate to the Key Vault using its System assigned identity.

It seems like I cannot accomplish this, since the key vault role assignment needs the Container app to be created first, and the Container app deployment times out since it cannot resolve the secret from the key vault reference.

Does anyone have a suggestion on how to approach this issue? Can I insert the secrets in a secondary Bicep block like you can with Key Vault secrets or Web App appsettings?

Minimal example:

@description('Location of all resources')
param location string = resourceGroup().location

@description('Tenant Id')
param tenantId string = subscription().tenantId

var keyVaultName = 'keyvault-${uniqueString('keyvault', resourceGroup().id)}}'
var logAnalyticsWorkspaceName = 'law-${uniqueString('law', resourceGroup().id)}}'
var containerAppsEnvironmentName = 'env-${uniqueString('env', resourceGroup().id)}}'
var containerAppApiName = 'capp-api-${uniqueString('capp-api', resourceGroup().id)}}'
var containerRegistryName = 'contregi-${uniqueString('contregi', resourceGroup().id)}}'

@description('Log Analytics workspace')
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
  name: logAnalyticsWorkspaceName
  location: location
  properties: {
    sku: {
      name: 'pergb2018'
    }
    retentionInDays: 30
    features: {
      legacy: 0
      searchVersion: 1
      enableLogAccessUsingOnlyResourcePermissions: true
    }
    workspaceCapping: {
      dailyQuotaGb: json('-1.0')
    }
    publicNetworkAccessForIngestion: 'Enabled'
    publicNetworkAccessForQuery: 'Enabled'
  }
}

@description('Container apps environment')
resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-02-preview' = {
  name: containerAppsEnvironmentName
  location: location
  properties: {
    appLogsConfiguration: {
      destination: 'log-analytics'
      logAnalyticsConfiguration: {
        customerId: logAnalyticsWorkspace.properties.customerId
        sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
      }
    }
  }
}

@description('Registry for container apps')
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
  name: containerRegistryName
  location: location
  sku: {
    name: 'Standard'
  }
  properties: {
    adminUserEnabled: true
  }
}

@description('Api container app')
resource containerAppApi 'Microsoft.App/containerApps@2023-05-02-preview' = {
  name: containerAppApiName
  location: location
  properties: {
    managedEnvironmentId: containerAppsEnvironment.id
    environmentId: containerAppsEnvironment.id
    configuration: {
      secrets: [
        {
          name: 'registry-password'
          keyVaultUrl: secret_CONTAINERREGISTRYPASSWORD.properties.secretUri
          identity: 'System'
        }
      ]
      activeRevisionsMode: 'Single'
      ingress: {
        external: true
        targetPort: 80
        exposedPort: 0
        transport: 'Auto'
        traffic: [
          {
            weight: 100
            latestRevision: true
          }
        ]
        allowInsecure: false
        stickySessions: {
          affinity: 'none'
        }
      }
      registries: [
        {
          server: containerRegistry.properties.loginServer
          username: containerRegistry.name
          passwordSecretRef: 'registry-password'
        }
      ]
    }
    template: {
      containers: [
        {
          image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'//'${containerRegistry.properties.loginServer}/api-image:0'
          name: 'container-app-api'
          env: []
          resources: {
            cpu: json('0.5')
            memory: '1Gi'
          }
        }
      ]
      scale: {
        maxReplicas: 10
      }
    }
  }
  identity: {
    type: 'SystemAssigned'
  }
}

@description('Key vault')
resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: keyVaultName
  location: location
  tags: {}
  properties: {
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: tenantId
    enabledForDeployment: false
    enabledForDiskEncryption: false
    enabledForTemplateDeployment: false
    enableSoftDelete: true
    softDeleteRetentionInDays: 90
    enableRbacAuthorization: true
    publicNetworkAccess: 'Enabled'
  }
}

resource secret_CONTAINERREGISTRYPASSWORD 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = {
  parent: keyVault
  name: 'CONTAINERREGISTRYPASSWORD'
  properties: {
    value: containerRegistry.listCredentials().passwords[0].value
  }
}

@description('This is the built-in Key Vault Secret User role. See https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#key-vault-secrets-user')
resource keyVaultSecretUserRoleRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
  scope: subscription()
  name: '4633458b-17de-408a-b874-0445c86b69e6'
}

@description('This allows the Api container app to read secret contents from the key vault')
resource keyVaultSecretUserRoleAssignment_ContainerAppApi 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: keyVault
  name: guid(resourceGroup().id, containerAppApi.id, keyVaultSecretUserRoleRoleDefinition.id)
  properties: {
    roleDefinitionId: keyVaultSecretUserRoleRoleDefinition.id
    principalId: containerAppApi.identity.principalId
    principalType: 'ServicePrincipal'
  }
}

[jeskew]

Can you use a user-assigned managed identity instead of a system assigned one? You can create a user-assigned managed identity before creating either the Key Vault or the container app, which should take care of the chicken-and-egg situation you're facing now:

resource managedId 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: 'containerAppManagedId'
  location: resourceGroup().location
}

// ...

resource containerAppApi 'Microsoft.App/containerApps@2023-05-02-preview' = {
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${managedId.id}': {}
    }
  }
  // ...
}

// ...

resource keyVaultSecretUserRoleAssignment_ContainerAppApi 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: keyVault
  name: guid(resourceGroup().id, managedId.id, keyVaultSecretUserRoleRoleDefinition.id)
  properties: {
    roleDefinitionId: keyVaultSecretUserRoleRoleDefinition.id
    principalId: managedId.properties.principalId
  }
}

[AndersSahlin]

Thanks for the reply!

Your suggestion worked great. I had to make an additional change to the secret definition, where I specified the managed identity Id, instead of System:

resource containerAppApi 'Microsoft.App/containerApps@2023-05-02-preview' = {
  properties: {
    configuration: {
      secrets: [
        {
          name: 'registry-password'
          keyVaultUrl: secret_CONTAINERREGISTRYPASSWORD.properties.secretUri
          identity: managedId.id // <-- Specify the managed identity id
        }
        // ...
      ]
    }
    // ...
  }
  // ...
}

[linxcat]

Would be great if there was a way to actually solve the issue with this feature, rather than the solution being "just don't"

[linxcat]

Same here, by the way. Found in my research: https://stackoverflow.com/questions/74413085/how-do-i-configure-my-bicep-scripts-to-allow-a-container-app-to-pull-an-image-fr