Add missing RBAC role for token storage container when using container apps #2724
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pamelafox
commented
Sep 10, 2025
| } | ||
|
|
||
| // Necessary for the Container Apps backend to store tokens in the container | ||
| module storageRoleContributorBackend 'core/security/role.bicep' = if (deploymentTarget == 'containerapps' && !empty(clientAppId)) { |
There was a problem hiding this comment.
Note: If the user upload feature is also enabled, then the ACA backend will get granted both "Storage Blob Data Owner" and "Storage Blob Data Contributor". That should work fine, even though it's a bit redundant.
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a critical RBAC configuration issue where Container Apps backend was missing the necessary Storage Blob Data Contributor role to store authentication tokens. When using built-in authentication with Container Apps, the backend needs write access to the token storage container, not just read access.
- Adds conditional Storage Blob Data Contributor role assignment for Container Apps backend when authentication is enabled
- Includes documentation comments for role definition IDs to improve maintainability
- Fixes URL formatting in documentation comment
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| infra/main.bicep | Adds missing RBAC role assignment for Container Apps backend and improves role ID documentation |
| infra/core/host/container-apps-auth.bicep | Minor documentation URL formatting fix |
Co-authored-by: Copilot <[email protected]>
mattgotteiner
approved these changes
Sep 11, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose
Our main.bicep is currently only assigning the storage RBAC role to the container apps backend when user upload is enabled, but it ALSO needs it when using built-in auth, to store tokens in the token container.
Before this change, no tokens showed up in store.
After this change, I do see tokens.
Fixes #2688 hopefully! I have a tab open that I will check in 3 hours, to make sure refresh works as expected.
Does this introduce a breaking change?
When developers merge from main and run the server, azd up, or azd deploy, will this produce an error?
If you're not sure, try it out on an old environment.
Does this require changes to learn.microsoft.com docs?
This repository is referenced by this tutorial
which includes deployment, settings and usage instructions. If text or screenshot need to change in the tutorial,
check the box below and notify the tutorial author. A Microsoft employee can do this for you if you're an external contributor.
Type of change
Code quality checklist
See CONTRIBUTING.md for more details.
N/A Bicep only change