From 7c97bfd8bb893e9b485988bcfbfc17c66b75e00b Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Wed, 10 Sep 2025 10:04:55 -0700 Subject: [PATCH 1/3] Add missing RBAC role when using container apps --- infra/core/host/container-apps-auth.bicep | 2 +- infra/main.bicep | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/infra/core/host/container-apps-auth.bicep b/infra/core/host/container-apps-auth.bicep index 6552232093..9b81af114d 100644 --- a/infra/core/host/container-apps-auth.bicep +++ b/infra/core/host/container-apps-auth.bicep @@ -56,7 +56,7 @@ resource auth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = { } } login: { - // https://learn.microsoft.com/en-us/azure/container-apps/token-store + // https://learn.microsoft.com/azure/container-apps/token-store tokenStore: { enabled: true azureBlobStorage: { diff --git a/infra/main.bicep b/infra/main.bicep index 6964b9dc75..1f00c8815d 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -1129,6 +1129,17 @@ module storageRoleContributorSearchService 'core/security/role.bicep' = if (useI } } +// Necessary for the Container Apps backend to store tokens in the container +module storageRoleContributorBackend 'core/security/role.bicep' = if (deploymentTarget == 'containerapps' && !empty(clientAppId)) { + scope: storageResourceGroup + name: 'storage-role-contributor-aca-backend' + params: { + principalId: acaBackend.outputs.identityPrincipalId + roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor + principalType: 'ServicePrincipal' + } +} + // Used to issue search queries // https://learn.microsoft.com/azure/search/search-security-rbac module searchRoleBackend 'core/security/role.bicep' = { From 826e5c7bb1b05fac7572ebcf31f19a004adadda1 Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Wed, 10 Sep 2025 10:14:50 -0700 Subject: [PATCH 2/3] Add comments with role names --- infra/main.bicep | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index 1f00c8815d..714201b37f 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -972,7 +972,7 @@ module storageRoleUser 'core/security/role.bicep' = { name: 'storage-role-user' params: { principalId: principalId - roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader principalType: principalType } } @@ -982,7 +982,7 @@ module storageContribRoleUser 'core/security/role.bicep' = { name: 'storage-contrib-role-user' params: { principalId: principalId - roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' + roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor principalType: principalType } } @@ -992,7 +992,7 @@ module storageOwnerRoleUser 'core/security/role.bicep' = if (useUserUpload) { name: 'storage-owner-role-user' params: { principalId: principalId - roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' + roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner principalType: principalType } } @@ -1092,7 +1092,7 @@ module storageRoleBackend 'core/security/role.bicep' = { principalId: (deploymentTarget == 'appservice') ? backend.outputs.identityPrincipalId : acaBackend.outputs.identityPrincipalId - roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader principalType: 'ServicePrincipal' } } @@ -1104,7 +1104,7 @@ module storageOwnerRoleBackend 'core/security/role.bicep' = if (useUserUpload) { principalId: (deploymentTarget == 'appservice') ? backend.outputs.identityPrincipalId : acaBackend.outputs.identityPrincipalId - roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' + roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner principalType: 'ServicePrincipal' } } @@ -1114,7 +1114,7 @@ module storageRoleSearchService 'core/security/role.bicep' = if (useIntegratedVe name: 'storage-role-searchservice' params: { principalId: searchService.outputs.principalId - roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader principalType: 'ServicePrincipal' } } From 5ff30e154ead4af75893d97b0634c767595a2141 Mon Sep 17 00:00:00 2001 From: Pamela Fox Date: Wed, 10 Sep 2025 10:26:38 -0700 Subject: [PATCH 3/3] Update infra/main.bicep Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- infra/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/main.bicep b/infra/main.bicep index 714201b37f..418b3116b0 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -1129,7 +1129,7 @@ module storageRoleContributorSearchService 'core/security/role.bicep' = if (useI } } -// Necessary for the Container Apps backend to store tokens in the container +// Necessary for the Container Apps backend to store authentication tokens in the blob storage container module storageRoleContributorBackend 'core/security/role.bicep' = if (deploymentTarget == 'containerapps' && !empty(clientAppId)) { scope: storageResourceGroup name: 'storage-role-contributor-aca-backend'