Mount a secret volume in Azure Container Instances

Use a secret volume to supply sensitive information to the containers in a container group. The secret volume stores your secrets in files within the volume, accessible by the containers in the container group. By storing secrets in a secret volume, you can avoid adding sensitive data like SSH keys or database credentials to your application code.

  • Once deployed with secrets in a container group, a secret volume is read-only.
  • Tmpfs, a RAM-backed filesystem, backs all secret volumes; their contents are never written to nonvolatile storage.

Note

Secret volumes are currently restricted to Linux containers. Learn how to pass secure environment variables for both Windows and Linux containers in Set environment variables. While we're working to bring all features to Windows containers, you can find current platform differences in the overview.

Mount secret volume - Azure CLI

To deploy a container with one or more secrets by using the Azure CLI, include the --secrets and --secrets-mount-path parameters in the az container create command. This example mounts a secret volume consisting of two files containing secrets, "mysecret1" and "mysecret2," at /mnt/secrets:

az container create \
    --resource-group myResourceGroup \
    --name secret-volume-demo \
    --image mcr.microsoft.com/azuredocs/aci-helloworld \
    --secrets mysecret1="My first secret FOO" mysecret2="My second secret BAR" \
    --secrets-mount-path /mnt/secrets

The following az container exec output shows opening a shell in the running container, listing the files within the secret volume, then displaying their contents:

az container exec \
  --resource-group myResourceGroup \
  --name secret-volume-demo --exec-command "/bin/sh"
/usr/src/app # ls /mnt/secrets
mysecret1
mysecret2
/usr/src/app # cat /mnt/secrets/mysecret1
My first secret FOO
/usr/src/app # cat /mnt/secrets/mysecret2
My second secret BAR
/usr/src/app # exit
Bye.

Mount secret volume - YAML

You can also deploy container groups with the Azure CLI and a YAML template. Deploying by YAML template is the preferred method when deploying container groups consisting of multiple containers.

When you deploy with a YAML template, the secret values must be Base64-encoded in the template. However, the secret values appear in plaintext within the files in the container.

The following YAML template defines a container group with one container that mounts a secret volume at /mnt/secrets. The secret volume has two files containing secrets, "mysecret1" and "mysecret2."

apiVersion: '2019-12-01'
location: eastus
name: secret-volume-demo
properties:
  containers:
  - name: aci-tutorial-app
    properties:
      environmentVariables: []
      image: mcr.microsoft.com/azuredocs/aci-helloworld:latest
      ports: []
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1.5
      volumeMounts:
      - mountPath: /mnt/secrets
        name: secretvolume1
  osType: Linux
  restartPolicy: Always
  volumes:
  - name: secretvolume1
    secret:
      mysecret1: TXkgZmlyc3Qgc2VjcmV0IEZPTwo=
      mysecret2: TXkgc2Vjb25kIHNlY3JldCBCQVIK
tags: {}
type: Microsoft.ContainerInstance/containerGroups

To deploy with the YAML template, save the preceding YAML to a file named deploy-aci.yaml, then execute the az container create command with the --file parameter:

# Deploy with YAML template
az container create \
  --resource-group myResourceGroup \
  --file deploy-aci.yaml

Mount secret volume - Resource Manager

In addition to CLI and YAML deployment, you can deploy a container group using an Azure Resource Manager template.

First, populate the volumes array in the container group properties section of the template. When you deploy with a Resource Manager template, the secret values must be Base64-encoded in the template. However, the secret values appear in plaintext within the files in the container.

Next, for each container in the container group in which you'd like to mount the secret volume, populate the volumeMounts array in the properties section of the container definition.

The following Resource Manager template defines a container group with one container that mounts a secret volume at /mnt/secrets. The secret volume has two secrets, "mysecret1" and "mysecret2."

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
    "container1name": "aci-tutorial-app",
    "container1image": "microsoft/aci-helloworld:latest"
  },
  "resources": [
    {
      "type": "Microsoft.ContainerInstance/containerGroups",
      "apiVersion": "2021-03-01",
      "name": "secret-volume-demo",
      "location": "[resourceGroup().location]",
      "properties": {
        "containers": [
          {
            "name": "[variables('container1name')]",
            "properties": {
              "image": "[variables('container1image')]",
              "resources": {
                "requests": {
                  "cpu": 1,
                  "memoryInGb": 1.5
                }
              },
              "ports": [
                {
                  "port": 80
                }
              ],
              "volumeMounts": [
                {
                  "name": "secretvolume1",
                  "mountPath": "/mnt/secrets"
                }
              ]
            }
          }
        ],
        "osType": "Linux",
        "ipAddress": {
          "type": "Public",
          "ports": [
            {
              "protocol": "tcp",
              "port": "80"
            }
          ]
        },
        "volumes": [
          {
            "name": "secretvolume1",
            "secret": {
              "mysecret1": "TXkgZmlyc3Qgc2VjcmV0IEZPTwo=",
              "mysecret2": "TXkgc2Vjb25kIHNlY3JldCBCQVIK"
            }
          }
        ]
      }
    }
  ]
}

To deploy with the Resource Manager template, save the preceding JSON to a file named deploy-aci.json, then execute the az deployment group create command with the --template-file parameter:

# Deploy with Resource Manager template
az deployment group create \
  --resource-group myResourceGroup \
  --template-file deploy-aci.json

Next steps

Volumes

Learn how to mount other volume types in Azure Container Instances:

Secure environment variables

Another method for providing sensitive information to containers (including Windows containers) is by using secure environment variables.