Skip to content

Use managed identity for authentication#

Security · Container App · 2023_03

Ensure managed identity is used for authentication.

Description#

Using managed identities have the following benefits:

  • Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
  • You can use role-based access control to grant specific permissions to a managed identity.
  • System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
  • You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
  • You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
  • You can use managed identity to create connections for Dapr-enabled applications via Dapr components.

Recommendation#

Consider configure a managed identity for each container app.

Examples#

Configure with Azure template#

To deploy Container Apps that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
  • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet
{
  "type": "Microsoft.App/containerApps",
  "apiVersion": "2022-10-01",
  "name": "[parameters('appName')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned",
    "userAssignedIdentities": {}
  },
  "properties": {}
}

Configure with Bicep#

To deploy Container Apps that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
  • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet
resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {
  name: appName
  location: location
  identity: {
    type: 'SystemAssigned'
    userAssignedIdentities: {}
  }
  properties: {}
}

Notes#

Using managed identities in scale rules isn't supported.


Last update: 2023-03-21

Comments