Skip to content

Unable to mount Key Vault secrets via User Assigned Identity in Container Apps ARM template #31630

New issue
New issue
Open
Open
Unable to mount Key Vault secrets via User Assigned Identity in Container Apps ARM template#31630
Labels
Auto-AssignAuto assign by botAzure Deploymentsaz deployment/bicep/stack/deployment-scripts/ts/group exportService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.
@tomaszolczak12

Description

@tomaszolczak12
tomaszolczak12
opened on Jun 10, 2025

Describe the bug

I’m attempting to deploy an Azure Container App using an ARM template that:

Assigns a User Assigned Managed Identity (UAMI) to the Container App.

Uses that UAMI to pull multiple PEM files from Key Vault.

Mounts those PEM files into the container via a volume.

My configuration.secrets section looks like this:

"configuration": {
"secrets": [
{
"name": "acr-token-password",
"value": "...static value..."
},
{
"name": "mytruststore-pem",
"valueFrom": {
"secretRef": {
"keyVaultId": "/subscriptions/.../vaults/mykv/secrets/mytruststore-pem",
"credentialId": "/subscriptions/.../userAssignedIdentities/myUami"
}
}
}
],
...
"volumeMounts": [
{ "volumeName": "certs-volume", "mountPath": "/app/certificates" }
]
}
],
"volumes": [
{
"name": "certs-volume",
"storageType": "Secret",
"secrets": [
{ "secretName": "mytruststore-pem", "path": "mytruststore.pem" }
]
}
],

...
}

Related command

az deployment group create --resource-group resource-group-test-bravo --template-file banking-replication-app-volume.json --debug

Errors

Invalid request body for container app. Path: $[1]. Does not conform to Container App schema

Issue script & Debug output

cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.12/site-packages/azure/core/polling/base_polling.py", line XXX, in initialize
_raise_if_bad_http_status_and_method(self._initial_response.http_response)
File "/usr/lib64/az/lib/python3.12/site-packages/azure/core/polling/base_polling.py", line YYY, in _raise_if_bad_http_status_and_method
raise BadStatus("Invalid return status {!r} for {!r} operation".format(code, response.request.method))
azure.core.polling.base_polling.BadStatus: Invalid return status 400 for 'POST' operation

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/command_modules/resource/custom.py", line AAA, in _deploy_arm_template_at_resource_group
validation_poller = mgmt_client.begin_validate(, , )
File "/usr/lib64/az/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line BBB, in wrapper_use_tracer
return func(*args, **kwargs)
File "/usr/lib64/az/lib/python3.12/site-packages/azure/mgmt/resource/resources/v2024_11_01/operations/_operations.py", line CCC, in begin_validate
return LROPoller(...)
azure.core.exceptions.HttpResponseError: (InvalidTemplateDeployment) The template deployment '' is not valid according to the validation procedure. The tracking id is ''. See inner errors for details.
Code: InvalidTemplateDeployment
Message: The template deployment '' is not valid according to the validation procedure. The tracking id is ''. See inner errors for details.
Exception Details:
(ValidationForResourceFailed) Validation failed for a resource. Check 'Error.Details[0]' for more information.
Code: ValidationForResourceFailed
Message: Validation failed for a resource. Check 'Error.Details[0]' for more information.
Exception Details:
(ContainerAppInvalidSchema) Invalid request body for container app. Path: $[1]. Does not conform to Container App schema...
Code: ContainerAppInvalidSchema
Message: Invalid request body for container app. Path: $[1]. Does not conform to Container App schema...

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line DDD, in _run_job
result = cmd_copy(params)
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line EEE, in handler
return op(**command_args)
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/command_modules/resource/custom.py", line FFF, in deploy_arm_template_at_resource_group
return _deploy_arm_template_at_resource_group(cmd=cmd)
RuntimeError: The content for this response was already consumed

cli.azure.cli.core.azclierror: The content for this response was already consumed

Expected behavior

The ARM deployment should succeed, resulting in a Container App named my-service with:

All required environment variables (including database credentials and connection strings) loaded from Key Vault via the assigned User-Assigned Managed Identity.

A volume mount (certs-volume) inside the container at /app/certificates containing the PEM certificate file (mytruststore.pem) retrieved from Key Vault.

Environment Summary

ARM API Version: 2025-01-01

Azure CLI Version: 2.74.0

Attempted with both inline and parameterized valueFrom.secretRef

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Auto-AssignAuto assign by botAzure Deploymentsaz deployment/bicep/stack/deployment-scripts/ts/group exportService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions