You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Here, a connection string to a queue storage account is declared in the `--secrets` parameter. The value for `queue-connection-string` comes from an environment variable named `$CONNECTION_STRING`.
75
+
Here, a connection string to a queue storage account is declared in the `--secrets` parameter. Replace `<CONNECTION_STRING>` with the value of your connection string.
76
76
77
77
# [PowerShell](#tab/powershell)
78
78
@@ -101,12 +101,16 @@ Here, a connection string to a queue storage account is declared. The value for
101
101
102
102
### Reference secret from Key Vault
103
103
104
-
When you define a secret, you can specify a reference to a secret stored in Azure Key Vault. To reference a secret from Key Vault, you must first enable managed identity in your container app and grant the identity access to the Key Vault secrets.
104
+
When you define a secret, you can specify a reference to a secret stored in Azure Key Vault. Container Apps automatically retrieves the secret value from Key Vault and makes it available in your container app's secret.
105
+
106
+
To reference a secret from Key Vault, you must first enable managed identity in your container app and grant the identity access to the Key Vault secrets.
105
107
106
108
To enable managed identity in your container app, see [Managed identities](managed-identity.md).
107
109
108
110
To grant access to Key Vault secrets, [create an access policy](../key-vault/general/assign-access-policy.md) in Key Vault for the managed identity you created. Enable the "Get" secret permission on this policy.
109
111
112
+
113
+
110
114
# [ARM template](#tab/arm-template)
111
115
112
116
Secrets are defined at the application level in the `resources.properties.configuration.secrets` section.
@@ -138,40 +142,23 @@ When you create a container app, secrets are defined using the `--secrets` param
138
142
139
143
- The parameter accepts a space-delimited set of name/value pairs.
140
144
- Each pair is delimited by an equals sign (`=`).
145
+
- To specify a Key Vault reference, use the format `<SECRET_NAME>=keyvaultref:<KEY_VAULT_SECRET_URI>,identityref:<MANAGED_IDENTITY_ID>`. For example, `queue-connection-string=keyvaultref:https://mykeyvault.vault.azure.net/secrets/queuereader,identityref:/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity`.
Here, a connection string to a queue storage account is declared in the `--secrets` parameter. The value for `queue-connection-string` comes from an environment variable named `$CONNECTION_STRING`.
157
+
Here, a connection string to a queue storage account is declared in the `--secrets` parameter. Replace `<KEY_VAULT_SECRET_URI>` with the URI of your secret in Key Vault. Replace `<USER_ASSIGNED_IDENTITY_ID>` with the resource ID of the user assigned identity. For system assigned identity, use `System` instead of the resource ID.
152
158
153
159
# [PowerShell](#tab/powershell)
154
160
155
-
When you create a container app, secrets are defined as one or more Secret objects that are passed through the `ConfigurationSecrets` parameter.
Here, a connection string to a queue storage account is declared. The value for `queue-connection-string` comes from an environment variable named `$QueueConnectionString`.
161
+
Secrets Key Vault references are not supported in PowerShell.
0 commit comments