Use managed identity for authentication

Security · Container App · Rule · 2023_03

Ensure managed identity is used for authentication.

Description

Using managed identities have the following benefits:

• Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
• You can use role-based access control to grant specific permissions to a managed identity.
• System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
• You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
• You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
• You can use managed identity to create connections for Dapr-enabled applications via Dapr components.

Recommendation

Consider configure a managed identity for each container app.

Examples

Configure with Azure template

To deploy Container Apps that pass this rule:

• Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
• If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet

{
  "type": "Microsoft.App/containerApps",
  "apiVersion": "2023-05-01",
  "name": "[parameters('appName')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
    "template": {
      "revisionSuffix": "[parameters('revision')]",
      "containers": "[variables('containers')]"
    },
    "configuration": {
      "ingress": {
        "allowInsecure": false,
        "stickySessions": {
          "affinity": "none"
        }
      }
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]"
  ]
}

Configure with Bicep

To deploy Container Apps that pass this rule:

• Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
• If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet

resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
  name: appName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    environmentId: containerEnv.id
    template: {
      revisionSuffix: revision
      containers: containers
    }
    configuration: {
      ingress: {
        allowInsecure: false
        stickySessions: {
          affinity: 'none'
        }
      }
    }
  }
}

Notes

Using managed identities in scale rules isn't supported. Init containers can't access managed identities.

Links

• Use identity-based authentication
• Managed identities in Azure Container Apps
• Azure deployment reference

---

Last update: 2023-10-01

Comments