Add missing RBAC role for token storage container when using container apps (#2724)

* Add missing RBAC role when using container apps

* Add comments with role names

* Update infra/main.bicep

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

Author: pamelafox

infra/core/host/container-apps-auth.bicep

@@ -56,7 +56,7 @@ resource auth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = {
       }
     }
     login: {
-      // https://learn.microsoft.com/en-us/azure/container-apps/token-store
+      // https://learn.microsoft.com/azure/container-apps/token-store
       tokenStore: {
         enabled: true
         azureBlobStorage: {

infra/main.bicep

@@ -970,7 +970,7 @@ module storageRoleUser 'core/security/role.bicep' = {
   name: 'storage-role-user'
   params: {
     principalId: principalId
-    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
+    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader
     principalType: principalType
   }
 }
@@ -980,7 +980,7 @@ module storageContribRoleUser 'core/security/role.bicep' = {
   name: 'storage-contrib-role-user'
   params: {
     principalId: principalId
-    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor
     principalType: principalType
   }
 }
@@ -990,7 +990,7 @@ module storageOwnerRoleUser 'core/security/role.bicep' = if (useUserUpload) {
   name: 'storage-owner-role-user'
   params: {
     principalId: principalId
-    roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b'
+    roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner
     principalType: principalType
   }
 }
@@ -1090,7 +1090,7 @@ module storageRoleBackend 'core/security/role.bicep' = {
     principalId: (deploymentTarget == 'appservice')
       ? backend.outputs.identityPrincipalId
       : acaBackend.outputs.identityPrincipalId
-    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
+    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader
     principalType: 'ServicePrincipal'
   }
 }
@@ -1102,7 +1102,7 @@ module storageOwnerRoleBackend 'core/security/role.bicep' = if (useUserUpload) {
     principalId: (deploymentTarget == 'appservice')
       ? backend.outputs.identityPrincipalId
       : acaBackend.outputs.identityPrincipalId
-    roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b'
+    roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner
     principalType: 'ServicePrincipal'
   }
 }
@@ -1112,7 +1112,7 @@ module storageRoleSearchService 'core/security/role.bicep' = if (useIntegratedVe
   name: 'storage-role-searchservice'
   params: {
     principalId: searchService.outputs.principalId
-    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
+    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader
     principalType: 'ServicePrincipal'
   }
 }
@@ -1127,6 +1127,17 @@ module storageRoleContributorSearchService 'core/security/role.bicep' = if (useI
   }
 }
 
+// Necessary for the Container Apps backend to store authentication tokens in the blob storage container
+module storageRoleContributorBackend 'core/security/role.bicep' = if (deploymentTarget == 'containerapps' && !empty(clientAppId)) {
+  scope: storageResourceGroup
+  name: 'storage-role-contributor-aca-backend'
+  params: {
+    principalId: acaBackend.outputs.identityPrincipalId
+    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // Used to issue search queries
 // https://learn.microsoft.com/azure/search/search-security-rbac
 module searchRoleBackend 'core/security/role.bicep' = {