Skip to content

Commit 3df9b93

Browse files
anthonychuanthonychu
authored
Initial edits
1 parent 6f8317d commit 3df9b93

File tree

1 file changed

+11
-14
lines changed

1 file changed

+11
-14
lines changed

articles/container-apps/manage-secrets.md

Lines changed: 11 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ services: container-apps
55
author: craigshoemaker
66
ms.service: container-apps
77
ms.topic: how-to
8-
ms.date: 11/02/2021
8+
ms.date: 07/28/2022
99
ms.author: cshoe
1010
ms.custom: ignite-fall-2021, event-tier1-build-2022
1111
---
@@ -19,15 +19,12 @@ Azure Container Apps allows your application to securely store sensitive configu
1919
- Each application revision can reference one or more secrets.
2020
- Multiple revisions can reference the same secret(s).
2121

22-
When a secret is updated or deleted, you can respond to changes in one of two ways:
22+
An updated or deleted secret does not automatically impact existing revisions in your app. When a secret is updated or deleted, you can respond to changes in one of two ways:
2323

2424
1. Deploy a new revision.
2525
2. Restart an existing revision.
2626

27-
An updated or removed secret does not automatically restart a revision.
28-
29-
- Before you delete a secret, deploy a new revision that no longer references the old secret.
30-
- If you change a secret value, you need to restart the revision to consume the new value.
27+
Before you delete a secret, deploy a new revision that no longer references the old secret. Then deactivate all revisions that reference the secret.
3128

3229
## Defining secrets
3330

@@ -51,13 +48,13 @@ Secrets are defined at the application level in the `resources.properties.config
5148
}
5249
```
5350

54-
Here, a connection string to a queue storage account is declared in the `secrets` array. To use this configuration you would replace `<MY-CONNECTION-STRING-VALUE>` with the value of your connection string.
51+
Here, a connection string to a queue storage account is declared in the `secrets` array. In this example, you would replace `<MY-CONNECTION-STRING-VALUE>` with the value of your connection string.
5552

5653
# [Azure CLI](#tab/azure-cli)
5754

58-
Secrets are defined using the `--secrets` parameter.
55+
When you create a container app, secrets are defined using the `--secrets` parameter.
5956

60-
- The parameter accepts a comma-delimited set of name/value pairs.
57+
- The parameter accepts a space-delimited set of name/value pairs.
6158
- Each pair is delimited by an equals sign (`=`).
6259

6360
```bash
@@ -91,27 +88,27 @@ Here, a connection string to a queue storage account is declared in the `--secre
9188

9289
---
9390

94-
## Using secrets
91+
## <a name="using-secrets"></a>Referencing secrets in environment variables
9592

96-
The secret value is mapped to the secret name declared at the application level as described in the [defining secrets](#defining-secrets) section. The `passwordSecretRef` and `secretref` parameters are used to reference the secret names as environment variables at the container level. The `passwordSecretRef` provides a descriptive parameter name for secrets containing passwords.
93+
After declaring secrets at the application level as described in the [defining secrets](#defining-secrets) section, you can reference them in environment variables when you create a new revision in your container app. When an environment variable references a secret, its value is populated with the value defined in the secret.
9794

9895
## Example
9996

100-
The following example shows an application that declares a connection string at the application level and is used throughout the configuration via `secretref`.
97+
The following example shows an application that declares a connection string at the application level. Then it is referenced in a container environment variable and in a scale rule.
10198

10299
# [ARM template](#tab/arm-template)
103100

104101
In this example, the application connection string is declared as `queue-connection-string` and becomes available elsewhere in the configuration sections.
105102

106103
:::code language="json" source="code/secure-app-arm-template.json" highlight="11,12,13,27,28,29,30,31,44,45,61,62":::
107104

108-
Here, the environment variable named `connection-string` gets its value from the application-level `queue-connection-string` secret. Also, the Azure Queue Storage scale rule's authorization configuration uses the `queue-connection-string` as a connection is established.
105+
Here, the environment variable named `connection-string` gets its value from the application-level `queue-connection-string` secret. Also, the Azure Queue Storage scale rule's authorization configuration uses the `queue-connection-string` secret as to define its connection.
109106

110107
To avoid committing secret values to source control with your ARM template, pass secret values as ARM template parameters.
111108

112109
# [Azure CLI](#tab/azure-cli)
113110

114-
In this example, you create an application with a secret that's referenced in an environment variable using the Azure CLI.
111+
In this example, you create a container app with a secret that's referenced in an environment variable using the Azure CLI. To reference a secret in an environment variable in the Azure CLI, set its value to `secretref:`, followed by the name of the secret.
115112

116113
```bash
117114
az containerapp create \

0 commit comments

Comments
 (0)