Manage secrets in Azure Container Apps

Azure Container Apps allows your application to securely store sensitive configuration values. Once secrets are defined at the application level, secured values are available to revisions in your container apps. Additionally, you can reference secured values inside scale rules. For information on using secrets with Dapr, refer to Dapr integration.

  • Secrets are scoped to an application, outside of any specific revision of an application.
  • New revisions don't get generated through adding, removing, or changing secrets.
  • Each application revision can reference one or more secrets.
  • Multiple revisions can reference the same secret(s).

An updated or deleted secret doesn't automatically affect existing revisions in your app. When a secret is updated or deleted, you can respond to changes in one of two ways:

  1. Deploy a new revision.
  2. Restart an existing revision.

Before you delete a secret, deploy a new revision that no longer references the old secret. Then deactivate all revisions that reference the secret.

Defining secrets

Secrets are defined as a set of name/value pairs. The value of each secret is specified directly or as a reference to a secret stored in Azure Key Vault.

Note

Avoid specifying the value of a secret directly in a production environment. Instead, use a reference to a secret stored in Azure Key Vault, as described in the Store secret value in Container Apps section.

Store secret value in Container Apps

When you define secrets through the portal, or via different command line options.

  1. Go to your container app in the Azure portal.

  2. Under the Settings section, select Secrets.

  3. Select Add.

  4. In the Add secret context pane, enter the following information:

    • Name: The name of the secret.
    • Type: Select Container Apps Secret.
    • Value: The value of the secret.
  5. Select Add.

Reference secret from Key Vault

When you define a secret, you create a reference to a secret stored in Azure Key Vault. Container Apps automatically retrieves the secret value from Key Vault and makes it available as a secret in your container app.

To reference a secret from Key Vault, you must first enable managed identity in your container app and grant the identity access to the Key Vault secrets.

To enable managed identity in your container app, see Managed identities.

To grant access to Key Vault secrets, create an access policy in Key Vault for the managed identity you created. Enable the "Get" secret permission on this policy.

  1. Go to your container app in the Azure portal.

  2. Under the Settings section, select Identity.

  3. In the System assigned tab, select On.

  4. Select Save to enable system-assigned managed identity.

  5. Under the Settings section, select Secrets.

  6. Select Add.

  7. In the Add secret context pane, enter the following information:

    • Name: The name of the secret.
    • Type: Select Key Vault reference.
    • Key Vault secret URL: The URI of your secret in Key Vault.
    • Identity: The identity to use to retrieve the secret from Key Vault.
  8. Select Add.

Note

If you're using UDR With Azure Firewall, you will need to add the AzureKeyVault service tag and the login.microsoft.com FQDN to the allow list for your firewall. Refer to configuring UDR with Azure Firewall to decide which additional service tags you need.

Key Vault secret URI and secret rotation

The Key Vault secret URI must be in one of the following formats:

  • https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931: Reference a specific version of a secret.
  • https://myvault.vault.azure.net/secrets/mysecret: Reference the latest version of a secret.

If a version isn't specified in the URI, then the app uses the latest version that exists in the key vault. When newer versions become available, the app automatically retrieves the latest version within 30 minutes. Any active revisions that reference the secret in an environment variable is automatically restarted to pick up the new value.

For full control of which version of a secret is used, specify the version in the URI.

Referencing secrets in environment variables

After declaring secrets at the application level as described in the defining secrets section, you can reference them in environment variables when you create a new revision in your container app. When an environment variable references a secret, its value is populated with the value defined in the secret.

Example

The following example shows an application that declares a connection string at the application level. This connection is referenced in a container environment variable and in a scale rule.

After you've defined a secret in your container app, you can reference it in an environment variable when you create a new revision.

  1. Go to your container app in the Azure portal.

  2. Open the Revision management page.

  3. Select Create new revision.

  4. In the Create and deploy new revision page, select a container.

  5. In the Environment variables section, select Add.

  6. Enter the following information:

    • Name: The name of the environment variable.
    • Source: Select Reference a secret.
    • Value: Select the secret you want to reference.
  7. Select Save.

  8. Select Create to create the new revision.

Mounting secrets in a volume

After declaring secrets at the application level as described in the defining secrets section, you can reference them in volume mounts when you create a new revision in your container app. When you mount secrets in a volume, each secret is mounted as a file in the volume. The file name is the name of the secret, and the file contents are the value of the secret. You can load all secrets in a volume mount, or you can load specific secrets.

Example

After you've defined a secret in your container app, you can reference it in a volume mount when you create a new revision.

  1. Go to your container app in the Azure portal.

  2. Open the Revision management page.

  3. Select Create new revision.

  4. In the Create and deploy new revision page.

  5. Select a container and select Edit.

  6. In the Volume mounts section, expand the Secrets section.

  7. Select Create new volume.

  8. Enter the following information:

    • Name: mysecrets
    • Mount all secrets: enabled

    Note

    If you want to load specific secrets, disable Mount all secrets and select the secrets you want to load.

  9. Select Add.

  10. Under Volume name, select mysecrets.

  11. Under Mount path, enter /mnt/secrets.

  12. Select Save.

  13. Select Create to create the new revision with the volume mount.

Next steps