Use managed identity for authentication

Security · Container App · 2023_03

Ensure managed identity is used for authentication.

Description

Using managed identities have the following benefits:

• Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
• You can use role-based access control to grant specific permissions to a managed identity.
• System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
• You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
• You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
• You can use managed identity to create connections for Dapr-enabled applications via Dapr components.

Recommendation

Consider configure a managed identity for each container app.

Examples

Configure with Azure template

To deploy Container Apps that pass this rule:

• Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
• If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet

{
  "type": "Microsoft.App/containerApps",
  "apiVersion": "2022-10-01",
  "name": "[parameters('appName')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned",
    "userAssignedIdentities": {}
  },
  "properties": {}
}

Configure with Bicep

To deploy Container Apps that pass this rule:

• Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
• If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet

resource containerApp 'Microsoft.App/containerApps@2022-10-01' = {
  name: appName
  location: location
  identity: {
    type: 'SystemAssigned'
    userAssignedIdentities: {}
  }
  properties: {}
}

Notes

Using managed identities in scale rules isn't supported.

Links

• Use identity-based authentication
• Managed identities in Azure Container Apps
• Azure deployment reference

---

Last update: 2023-03-21

Comments