You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -30,6 +30,9 @@ Before you delete a secret, deploy a new revision that no longer references the
30
30
31
31
Secrets are defined as a set of name/value pairs. The value of each secret is specified directly or as a reference to a secret stored in Azure Key Vault.
32
32
33
+
> [!NOTE]
34
+
> Avoid specifying the value of a secret directly in a production environment. Instead, use a reference to a secret stored in Azure Key Vault, as described in the [Store secret value in Container Apps section](#reference-secret-from-key-vault).
35
+
33
36
### Store secret value in Container Apps
34
37
35
38
When you define secrets through the portal, or via different command line options.
Here, a connection string to a queue storage account is declared in the `--secrets` parameter. Replace `<KEY_VAULT_SECRET_URI>` with the URI of your secret in Key Vault. Replace `<USER_ASSIGNED_IDENTITY_ID>` with the resource ID of the user assigned identity. For system assigned identity, use `system` instead of the resource ID.
197
+
Here, a connection string to a queue storage account is declared in the `--secrets` parameter. Replace `<KEY_VAULT_SECRET_URI>` with the URI of your secret in Key Vault. Replace `<USER_ASSIGNED_IDENTITY_ID>` with the resource ID of the user assigned identity.
195
198
196
199
> [!NOTE]
197
200
> The user assigned identity must have access to read the secret in Key Vault. System assigned identity can't be used with the create command because it's not available until after the container app is created.
@@ -252,7 +255,7 @@ After you've [defined a secret](#defining-secrets) in your container app, you ca
252
255
253
256
In this example, the application connection string is declared as `queue-connection-string` and becomes available elsewhere in the configuration sections.
Here, the environment variable named `connection-string` gets its value from the application-level `queue-connection-string` secret. Also, the Azure Queue Storage scale rule's authentication configuration uses the `queue-connection-string` secret as to define its connection.
Here, the environment variable named `connection-string` gets its value from the application-level `queue-connection-string` secret.
276
280
277
281
# [PowerShell](#tab/powershell)
278
282
283
+
Secrets Key Vault references aren't supported in PowerShell.
284
+
279
285
In this example, you create a container using Azure PowerShell with a secret that's referenced in an environment variable. To reference the secret in an environment variable in PowerShell, set its value to `secretref:`, followed by the name of the secret.
280
286
281
287
```azurepowershell-interactive
@@ -359,7 +365,7 @@ In this example, two secrets are declared at the application level. These secret
359
365
"environment_id": {
360
366
"type": "String"
361
367
},
362
-
"queue-connection-string": {
368
+
"key_vault_secret_uri": {
363
369
"type": "Securestring"
364
370
},
365
371
"api-key": {
@@ -381,7 +387,8 @@ In this example, two secrets are declared at the application level. These secret
0 commit comments