Skip to content

Use managed identity for authentication#

Security · Container App · Rule · 2023_03 · Important

Ensure managed identity is used for authentication.

Description#

Using managed identities have the following benefits:

  • Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
  • You can use role-based access control to grant specific permissions to a managed identity.
  • System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
  • You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
  • You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
  • You can use managed identity to create connections for Dapr-enabled applications via Dapr components.

Recommendation#

Consider configure a managed identity for each container app.

Examples#

Configure with Azure template#

To deploy Container Apps that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
  • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet
{
  "type": "Microsoft.App/containerApps",
  "apiVersion": "2023-05-01",
  "name": "[parameters('appName')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
    "template": {
      "revisionSuffix": "[parameters('revision')]",
      "containers": "[variables('containers')]",
      "scale": {
        "minReplicas": 2
      }
    },
    "configuration": {
      "ingress": {
        "allowInsecure": false,
        "stickySessions": {
          "affinity": "none"
        }
      }
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]"
  ]
}

Configure with Bicep#

To deploy Container Apps that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
  • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet
resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
  name: appName
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    environmentId: containerEnv.id
    template: {
      revisionSuffix: revision
      containers: containers
      scale: {
        minReplicas: 2
      }
    }
    configuration: {
      ingress: {
        allowInsecure: false
        stickySessions: {
          affinity: 'none'
        }
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-built module is avilable on the Azure Bicep public registry. To reference the module, please use the following syntax: br/public:avm/res/app/container-app:<version>

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Notes#

Using managed identities in scale rules isn't supported. Init containers can't access managed identities.

Comments