Use Key Vaults to Store Azure Container App Secrets

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to examine.

06 In the resource navigation panel, under Settings, choose Secrets to view the application secrets defined for the selected Azure Container App. Secrets are key-value pairs that can be used to protect sensitive data such as passwords and connection strings.

07 Choose the application secret that you want to examine and click on the Edit button (i.e., pencil icon), listed in the Edit column.

08 In the Edit secret panel, check the Type attribute value to determine the type of the verified application secret. If Type is not set to Key Vault reference, the Azure Key Vault service is not used to store and manage the selected application secret for your Azure Container App. If Type is set to Key Vault reference, continue the Audit process with the next step.

09 To check the Azure Key Vault configuration for compliance, perform the following actions:

1. On your Container App blade, in the resource navigation panel, under Settings, choose Identity, and select the System assigned tab. If the Status is set to Off, there is no system-assigned managed identity set for your Container App. Because Azure Key Vault access policies rely on assigning a principal to grant access, if there is no system-assigned managed identity set for your Container App, the relevant Key Vault access policy can't have the principal correctly defined.
2. Navigate to the Key Vaults blade at https://portal.azure.com/#browse/Microsoft.KeyVault%2Fvaults and click on the name of the Azure Key Vault that stores the verified secret. If there are no Key Vault available in your Azure subscription, the Audit process ends here. Otherwise, you can continue the Audit process with the next step.
3. On your Key Vault blade, under Objects, choose Secrets and click on the name of the secret defined for your Container App. If there is no relevant secret defined, the Audit process ends here. Otherwise, continue the Audit process with the next step.
4. Back to the Key Vault navigation panel, choose Access policies, and check the Secret Permissions column for each access policy defined. If there are no policies with Secret Permissions set to Get, List and Set, the selected Key Vault is not properly configured to allow your Container App to access application secrets.

10 Repeat steps no. 7 - 9 for each application secret defined for the selected Container App.

11 Repeat steps no. 5 - 10 for each Azure Container App deployed in the selected Azure subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Microsoft Azure Container App available in the selected subscription:

az containerapp list
	--query '[*].id'

05 The command output should return the requested Azure Container App IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-openai-container-app"
]

06 Run containerapp show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to describe the name of each application secret created for the selected Container App:

az containerapp show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--query 'properties.configuration.secrets[].name'

07 The command output should return the requested application secret names:

[
	"tm-api-access-key",
	"tm-app-connection-string"
]

08 Run containerapp secret show command (Windows/macOS/Linux) to describe the full URL of the Key Vault secret referenced by the specified application secret:

az containerapp secret show
	--secret-name "tm-api-access-key"
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--query '{"keyVaultUrl":keyVaultUrl}'

09 The command output should return the requested Key Vault secret URL:

{
	"keyVaultUrl": null
}

10 To check the Key Vault configuration for compliance, perform the following actions:

1. Run containerapp show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to determine the type of the managed identity (i.e. system-assigned and/or user-assigned) configured for the selected Container App:
   az containerapp show
   	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
   	--query '{"IdentityType":identity.type}'
   

2. The containerapp show command should return one of the following outputs:
   1. If the command does not return "SystemAssigned" for the "IdentityType" attribute, there is no system-assigned managed identity set for your Container App. Because Azure Key Vault access policies rely on assigning a principal to grant access, if there is no system-assigned managed identity set for your Function App, the relevant Key Vault access policy can't have the principal correctly defined.
   2. If the command returns "SystemAssigned" for the "IdentityType" attribute, as shown in the example below, you can continue the Audit process with the next step:
      {
      	"IdentityType": "SystemAssigned"
      }
      

3. Run keyvault list command (Windows/macOS/Linux) with custom query filters to list the name of each Azure Key Vault (and the name of the associated resource group) deployed in the selected Azure subscription:
   az keyvault list
   	--output table
   	--query '[*].{name:name, resourceGroup:resourceGroup}'
   

4. The command should return a table with requested information, as shown in the output example below. Otherwise, if the keyvault list command does not produce an output, there are no Azure Key Vaults available in the selected subscription:
   Name                   ResourceGroup
   -------------------    ------------------------------
   cc-project5-key-vault  cloud-shell-storage-westeurope
   cc-main-app-key-vault  cloud-shell-storage-westeurope
   

5. Run keyvault secret list command (Windows/macOS/Linux) with the name of the Key Vault that you want to examine as the identifier parameter, to list the secrets stored within the selected vault. The command output should return the list of secrets managed by the selected Key Vault. If the command does not produce an output, there are no secrets available within the selected Key Vault, therefore, the Audit process ends here. Otherwise, you can continue the Audit process with the next step:
   az keyvault secret list
   	--vault-name cc-project5-key-vault
   	--query '[*].name'
   

6. The command should return an array with the requested information:
   [
   	"tm-api-access-key",
   	"tm-app-db-password"
   ]
   

7. Run keyvault show command (Windows/macOS/Linux) to describe the access policy settings available for the selected Key Vault:
   az keyvault show
   	--name cc-project5-key-vault
   	--query 'properties.accessPolicies'
   

8. Check the "secrets" attribute value to determine the secret permissions defined for each Key Vault policy. If there are no policies with "secrets" set to "Get", "List" and "Set", the selected Key Vault is not properly configured to allow your Function App to access the secrets:
   [
   	{
   		"applicationId": null,
   		"objectId": "abcd1234-1234-1234-1234-abcd1234abcd",
   		"permissions": {
   			"certificates": [
   				"Get",
   				"List",
   				"Update",
   				"Create",
   				"Import",
   				"Delete",
   				"Recover",
   				"Backup",
   				"Restore",
   				"ManageContacts",
   				"ManageIssuers",
   				"GetIssuers",
   				"ListIssuers",
   				"SetIssuers",
   				"DeleteIssuers"
   			],
   			"keys": [
   				"Get",
   				"List",
   				"Update",
   				"Create",
   				"Import",
   				"Delete",
   				"Recover",
   				"Backup",
   				"Restore"
   			],
   			"secrets": [
   				"Get",
   				"List",
   				"Set",
   				"Delete",
   				"Recover",
   				"Backup",
   				"Restore"
   			],
   			"storage": null
   		},
   		"tenantId": "1234abcd-1234-1234-1234-1234abcd1234"
   	}
   ]
   

11 Repeat steps no. 8 - 10 for each application secret defined for the selected Container App.

12 Repeat steps no. 6 - 11 for each Azure Container App deployed in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to configure.

06 In the resource navigation panel, under Settings, select Identity.

07 Choose the System assigned tab and select On under Status to enable the system-assigned managed identity for the selected Container App. Choose Save and select Yes to confirm the changes.

08 Navigate to the Key Vaults blade available at https://portal.azure.com/#browse/Microsoft.KeyVault%2Fvaults, choose Create, and perform the following actions to create the Key Vault that will store your Azure Container App secret:

1. For Basics, choose the appropriate subscription and resource group, provide a unique name for the new Key Vault, select the Azure cloud region where the vault will be deployed, and choose the appropriate pricing tier. You can also configure the Purge Protection feature at this step. Choose Next to continue the setup process.
2. For Access configuration, select Vault access policy for Permission model, and choose Create under Access policies to create the required access policy. For Permissions, select Get, List, and Set for Secret permissions. For Principal, choose the name of your Function App (confirming that the object ID matches the one identified at step no. 6). Once the access policy is configured, choose Create to attach it to your Key Vault. Choose Next to continue the setup.
3. For Networking, configure the network access control for your Key Vault. Choose the connectivity method that you want to use and ensure that only trusted Azure services and/or networks can access your vault. Choose Next to continue.
4. For Tags, use the Name and Value fields to create tags that will help organize the identity of the Key Vault. Choose Next : Review + create > to validate the setup.
5. For Review + create, review the configuration details, then choose Create to create your new Azure Key Vault.

09 To create a new secret for your Microsoft Azure Container App, click on the name (link) of the newly created Key Vault, select Secrets under Objects, choose Generate/Import, and perform the following operations:

1. For Name, enter a valid secret name.
2. For Secret value, provide a single-line secret value.
3. (Optional) For Set activation date and Set expiration date, configure an activation and an expiration date.
4. Set the Enabled flag to Yes.
5. Choose Create to generate your new Key Vault secret.
6. Click on the name (link) of the new Key Vault secret and copy the secret URL (i.e., https://\<key-vault-name\>.vault.azure.net/secrets/\<secret-name\>/\<secret-version\>).

10 Navigate back to the Container Apps blade at https://portal.azure.com/#browse/Microsoft.App%2FcontainerApps, and click on the name (link) of the Azure Container App that you want to configure.

11 In the resource navigation panel, under Settings, select Secrets, choose Add, and perform the following actions to create a new application secret for your Container App:

1. For Key, provide a unique name for the new secret.
2. For Type, choose Key Vault reference.
3. For Key Vault secret URL, paste the full URL of the Key Vault secret copied at step no. 9.
4. For Managed identity, select System assigned. The identity will be used to retrieve your secret from the Key Vault.
5. Choose Add to create your new application secret.

12 Repeat steps no. 5 – 11 for each Azure Container App that you want to configure, deployed in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for other subscriptions created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Container App available in the selected subscription:

az containerapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Container App names:

Name                        ResourceGroup
-------------------------   ------------------------------
tm-project5-container-app   cloud-shell-storage-westeurope
tm-project5-openai-app      cloud-shell-storage-westeurope

06 Run containerapp identity assign command (OSX/Linux/UNIX) to enable the system-assigned managed identity for the specified Azure Container App:

az containerapp identity assign
	--name tm-project5-container-app
	--resource-group cloud-shell-storage-westeurope
	--system-assigned

07 Once the assignment process is completed, the command output should return the information available for the managed identity (including the principal ID, i.e. "principalId"):

{
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
	"type": "SystemAssigned"
}

08 Run keyvault create command (Windows/macOS/Linux) to create the Azure Key Vault where the Container App secret will be placed:

az keyvault create
	--name tm-main-key-vault
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--enabled-for-deployment true
	--enabled-for-template-deployment true
	--query 'id'

09 The command output should return the ID of the new Microsoft Azure Key Vault:

"/subscriptions/abcd1234-abcd-1234-abcd-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault"

10 Run keyvault set-policy command (Windows/macOS/Linux) with the principal ID returned at step no. 7 and the name of the newly created Key Vault as the identifier parameters, to assign the right permissions for the selected Key Vault:

az keyvault set-policy
	--name tm-main-key-vault
	--object-id abcd1234-abcd-1234-abcd-1234abcd1234
	--secret-permissions get list set
	--query 'properties.accessPolicies'

11 The command output should return the new Key Vault access policy:

[
	{
		"applicationId": null,
		"objectId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"permissions": {
			"certificates": [
				"Get",
				"List",
				"Update",
				"Create",
				"Import",
				"Delete",
				"Recover",
				"Backup",
				"Restore",
				"ManageContacts",
				"ManageIssuers",
				"GetIssuers",
				"ListIssuers",
				"SetIssuers",
				"DeleteIssuers"
			],
			"keys": [
				"Get",
				"List",
				"Update",
				"Create",
				"Import",
				"Delete",
				"Recover",
				"Backup",
				"Restore"
			],
			"secrets": [
				"Get",
				"List",
				"Set",
				"Delete",
				"Recover",
				"Backup",
				"Restore"
			],
			"storage": null
		},
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234"
	},
	{
		"applicationId": null,
		"objectId": "thisismy-new1-web2-app3-4identifier5",
		"permissions": {
			"certificates": null,
			"keys": null,
			"secrets": [
				"set",
				"list",
				"get"
			],
			"storage": null
		},
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234"
	}
]

12 Run keyvault secret set command (Windows/macOS/Linux) to create the Key Vault secret for your Microsoft Azure Container App:

az keyvault secret set
	--name "tm-app-access-key"
	--value "<enter-the-secret-value-here>"
	--vault-name "tm-main-key-vault"
	--disabled false
	--query 'id'

13 The command output should return the URL of the new Key Vault secret:

"https://tm-main-key-vault.vault.azure.net/secrets/tm-app-secret/abcd1234abcd1234abcd1234abcd1234"

14 Run containerapp secret set command (Windows/macOS/Linux) to create a new application secret for your Microsoft Azure Container App:

az containerapp secret set
	--name tm-project5-container-app
	--resource-group cloud-shell-storage-westeurope
	--secrets tm-app-access-key=keyvaultref:https://tm-main-key-vault.vault.azure.net/secrets/tm-app-secret/abcd1234abcd1234abcd1234abcd1234,identityref:system

15 The command output should return the application secrets available for the selected Container App:

[
	{
		"name": "tm-api-access-key"
	},
	{
		"identity": "system",
		"keyVaultUrl": "https://tm-main-key-vault.vault.azure.net/secrets/tm-app-secret/abcd1234abcd1234abcd1234abcd1234",
		"name": "tm-app-access-key"
	}
]

16 Repeat steps no. 6 – 15 for each Azure Container App that you want to configure, deployed in the selected Azure subscription.

17 Repeat steps no. 3 – 16 for other subscriptions created in your Microsoft Azure cloud account.