Use managed identity for authentication#
Security · Container App · 2023_03
Ensure managed identity is used for authentication.
Description#
Using managed identities have the following benefits:
- Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
- You can use role-based access control to grant specific permissions to a managed identity.
- System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
- You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
- You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
- You can use managed identity to create connections for Dapr-enabled applications via Dapr components.
Recommendation#
Consider configure a managed identity for each container app.
Examples#
Configure with Azure template#
To deploy Container Apps that pass this rule:
- Set
identity.type
toSystemAssigned
orUserAssigned
orSystemAssigned,UserAssigned
. - If
identity.type
isUserAssigned
orSystemAssigned,UserAssigned
, reference the identity withidentity.userAssignedIdentities
.
For example:
Azure Template snippet
{
"type": "Microsoft.App/containerApps",
"apiVersion": "2022-10-01",
"name": "[parameters('appName')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned",
"userAssignedIdentities": {}
},
"properties": {}
}
Configure with Bicep#
To deploy Container Apps that pass this rule:
- Set
identity.type
toSystemAssigned
orUserAssigned
orSystemAssigned,UserAssigned
. - If
identity.type
isUserAssigned
orSystemAssigned,UserAssigned
, reference the identity withidentity.userAssignedIdentities
.
For example:
Azure Bicep snippet
resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {
name: appName
location: location
identity: {
type: 'SystemAssigned'
userAssignedIdentities: {}
}
properties: {}
}
Notes#
Using managed identities in scale rules isn't supported.
Links#
- Use identity-based authentication
- Managed identities in Azure Container Apps
- Azure deployment reference
Last update:
2023-03-21