Secure an app in Azure Container Apps Preview

Azure Container Apps allows your application to securely store sensitive configuration values. Once defined at the application level, secured values are available to containers, inside scale rules, and via Dapr.

  • Secrets are scoped to an application, outside of any specific revision of an application.
  • Adding, removing, or changing secrets does not generate new revisions.
  • Each application revision can reference one or more secrets.
  • Multiple revisions can reference the same secret(s).

When a secret is updated or deleted, you can respond to changes in one of two ways:

  1. Deploy a new revision.
  2. Restart an existing revision.

An updated or removed secret does not automatically re-start a revision.

  • Before you delete a secret, deploy a new revision that no longer references the old secret.
  • If you change a secret value, you need to restart the revision to consume the new value.

Defining secrets

Secrets are defined at the application level in the resources.properties.configuration.secrets section.

"resources": [
{
    ...
    "properties": {
        "configuration": {
            "secrets": [
            {
                "name": "queue-connection-string",
                "value": "<MY-CONNECTION-STRING-VALUE>"
            }],
        }
    }
}

Here, a connection string to a queue storage account is declared in the secrets array. To use this configuration you would replace <MY-CONNECTION-STRING-VALUE> with the value of your connection string.

Using secrets

Application secrets are referenced via the secretref property. Secret values are mapped to application-level secrets where the secretref value matches the secret name declared at the application level.

Example

The following example shows an application that declares a connection string at the application level and is used throughout the configuration via secretref.

In this example, the application connection string is declared as queue-connection-string and becomes available elsewhere in the configuration sections.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "location": {
            "type": "String"
        },
        "environment_id": {
            "type": "String"
        },
        "queue-connection-string": {
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
    {
        "name": "queuereader",
        "type": "Microsoft.Web/containerApps",
        "apiVersion": "2021-03-01",
        "kind": "containerapp",
        "location": "[parameters('location')]",
        "properties": {
            "kubeEnvironmentId": "[parameters('environment_id')]",
            "configuration": {
                "activeRevisionsMode": "single",
                "secrets": [
                {
                    "name": "queue-connection-string",
                    "value": "[parameters('queue-connection-string')]"
                }]
            },
            "template": {
                "containers": [
                    {
                        "image": "myregistry/myQueueApp:v1",
                        "name": "myQueueApp",
                        "env": [
                            {
                                "name": "QueueName",
                                "value": "myqueue"
                            },
                            {
                                "name": "ConnectionString",
                                "secretref": "queue-connection-string"
                            }
                        ]
                    }
                ],
                "scale": {
                    "minReplicas": 0,
                    "maxReplicas": 10,
                    "rules": [
                        {
                            "name": "myqueuerule",
                            "azureQueue": {
                                "queueName": "demoqueue",
                                "queueLength": 100,
                                "auth": [
                                    {
                                        "secretRef": "queue-connection-string",
                                        "triggerParameter": "connection"
                                    }
                                ]
                            }
                        }
                    ]
                }
            }
        }
    }]
}

Here, the environment variable named connection-string gets its value from the application-level queue-connection-string secret. Also, the Azure Queue Storage scale rule's authorization configuration uses the queue-connection-string as a connection is established.

To avoid committing secret values to source control with your ARM template, pass secret values as ARM template parameters.

Next steps