Add missing RBAC role when using container apps

pamelafox · pamelafox · commit 7c97bfd8bb89 · 2025-09-10T10:04:55.000-07:00
diff --git a/infra/core/host/container-apps-auth.bicep b/infra/core/host/container-apps-auth.bicep
@@ -56,7 +56,7 @@ resource auth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = {
       }
     }
     login: {
-      // https://learn.microsoft.com/en-us/azure/container-apps/token-store
+      // https://learn.microsoft.com/azure/container-apps/token-store
       tokenStore: {
         enabled: true
         azureBlobStorage: {
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -1129,6 +1129,17 @@ module storageRoleContributorSearchService 'core/security/role.bicep' = if (useI
   }
 }
 
+// Necessary for the Container Apps backend to store tokens in the container
+module storageRoleContributorBackend 'core/security/role.bicep' = if (deploymentTarget == 'containerapps' && !empty(clientAppId)) {
+  scope: storageResourceGroup
+  name: 'storage-role-contributor-aca-backend'
+  params: {
+    principalId: acaBackend.outputs.identityPrincipalId
+    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // Used to issue search queries
 // https://learn.microsoft.com/azure/search/search-security-rbac
 module searchRoleBackend 'core/security/role.bicep' = {

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ resource auth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = {`
`56`	`56`	`}`
`57`	`57`	`}`
`58`	`58`	`login: {`
`59`		`- // https://learn.microsoft.com/en-us/azure/container-apps/token-store`
	`59`	`+ // https://learn.microsoft.com/azure/container-apps/token-store`
`60`	`60`	`tokenStore: {`
`61`	`61`	`enabled: true`
`62`	`62`	`azureBlobStorage: {`