Merge pull request #286674 from v-jaswel/aca/v-jaswel_20240912_work_item_310311

Jill Grant · web-flow · commit cbf5a6bd4d4c · 2024-11-24T15:33:05.000-07:00
[ACA] Show how to use KeyVault to store/retrieve container registry password
diff --git a/articles/container-apps/get-started-existing-container-image.md b/articles/container-apps/get-started-existing-container-image.md
@@ -37,126 +37,238 @@ This article demonstrates how to deploy an existing container to Azure Container
 
 ## Create a container app
 
-Now that you have an environment created, you can deploy your first container app. With the `containerapp create` command, deploy a container image to Azure Container Apps.
+Now that you have an environment created, you can deploy your first container app.
 
-The example shown in this article demonstrates how to use a custom container image with common commands. Your container image might need more parameters for the following items:
+::: zone pivot="container-apps-private-registry"
 
-- Set the revision mode
-- Define secrets
-- Define environment variables
-- Set container CPU or memory requirements
-- Enable and configure Dapr
-- Enable external or internal ingress
-- Provide minimum and maximum replica values or scale rules
+1. Set the environment variables.
 
-::: zone pivot="container-apps-private-registry"
+	Replace the `<PLACEHOLDERS>` with your values. Your user principal name will typically be in the format of an email address (for example, `username@domain.com`).
 
-# [Bash](#tab/bash)
+	# [Bash](#tab/bash)
 
-For details on how to provide values for any of these parameters to the `create` command, run `az containerapp create --help` or [visit the online reference](/cli/azure/containerapp#az-containerapp-create). To generate credentials for an Azure Container Registry, use [az acr credential show](/cli/azure/acr/credential#az-acr-credential-show).
+	```bash
+	CONTAINER_APP_NAME=my-container-app
+	KEY_VAULT_NAME=my-key-vault
+	USER_PRINCIPAL_NAME=<USER_PRINCIPAL_NAME>
+	SECRET_NAME=my-secret-name
+	CONTAINER_IMAGE_NAME=<CONTAINER_IMAGE_NAME>
+	REGISTRY_SERVER=<REGISTRY_SERVER>
+	REGISTRY_USERNAME=<REGISTRY_USERNAME>
+	```
 
-```bash
-CONTAINER_IMAGE_NAME=<CONTAINER_IMAGE_NAME>
-REGISTRY_SERVER=<REGISTRY_SERVER>
-REGISTRY_USERNAME=<REGISTRY_USERNAME>
-REGISTRY_PASSWORD=<REGISTRY_PASSWORD>
-```
+	# [Azure PowerShell](#tab/azure-powershell)
 
-(Replace the \<placeholders\> with your values.)
+	```azurepowershell-interactive
+	$ContainerAppName = "my-container-app"
+	$KeyVaultName = "my-key-vault"
+	$UserPrincipalName = "<USER_PRINCIPAL_NAME>"
+	$SecretName = "my-secret-name"
+	$ContainerImageName = "<CONTAINER_IMAGE_NAME>"
+	$RegistryServer = "<REGISTRY_SERVER>"
+	$RegistryUsername = "<REGISTRY_USERNAME>"
+	```
 
-```azurecli-interactive
-az containerapp create \
-  --name my-container-app \
-  --resource-group $RESOURCE_GROUP \
-  --image $CONTAINER_IMAGE_NAME \
-  --environment $CONTAINERAPPS_ENVIRONMENT \
-  --registry-server $REGISTRY_SERVER \
-  --registry-username $REGISTRY_USERNAME \
-  --registry-password $REGISTRY_PASSWORD
-```
+	---
 
-# [Azure PowerShell](#tab/azure-powershell)
+1. Create the key vault.
 
-```azurepowershell-interactive
-$ContainerImageName = "<CONTAINER_IMAGE_NAME>"
-$RegistryServer = "<REGISTRY_SERVER>"
-$RegistryUsername = "<REGISTRY_USERNAME>"
-$RegistryPassword = "<REGISTRY_PASSWORD>"
-```
+	Storing your container registry password using a service such as [Azure Key Vault](/azure/key-vault/general/basic-concepts) keeps the values secure at all times. The steps in this section show how to create a key vault, store your container registry password the Key Vault, and then retrieve the password for use in your code.
 
-(Replace the \<placeholders\> with your values.)
+	# [Bash](#tab/bash)
 
-```azurepowershell-interactive
-$EnvId = (Get-AzContainerAppManagedEnv -ResourceGroupName $ResourceGroupName -EnvName $ContainerAppsEnvironment).Id
+	```bash
+	az keyvault create --name $KEY_VAULT_NAME --resource-group $RESOURCE_GROUP
+	```
 
-$TemplateObj = New-AzContainerAppTemplateObject -Name my-container-app -Image $ContainerImageName
+	# [Azure PowerShell](#tab/azure-powershell)
 
-$RegistrySecretObj = New-AzContainerAppSecretObject -Name registry-secret -Value $RegistryPassword
+	Install the [Key Vault](https://www.powershellgallery.com/packages/Az.KeyVault) module.
 
-$RegistryArgs = @{
-    PasswordSecretRef = 'registry-secret'
-    Server = $RegistryServer
-    Username = $RegistryUsername
-}
+	```azurepowershell-interactive
+	Install-Module Az.KeyVault -Repository PSGallery -Force
+	```
 
-$RegistryObj = New-AzContainerAppRegistryCredentialObject @RegistryArgs
+	```azurepowershell-interactive
+	New-AzKeyVault -Name "$KeyVaultName" -ResourceGroupName "$ResourceGroupName" -Location "$Location"
+	```
 
-$ContainerAppArgs = @{
-    Name = 'my-container-app'
-    Location = $Location
-    ResourceGroupName = $ResourceGroupName
-    ManagedEnvironmentId = $EnvId
-    TemplateContainer = $TemplateObj
-    ConfigurationRegistry = $RegistryObj
-    ConfigurationSecret = $RegistrySecretObj
-}
+	---
 
-New-AzContainerApp @ContainerAppArgs
-```
+1. Give your user account permissions to manage secrets in the key vault.
 
----
+	# [Bash](#tab/bash)
+
+	```bash
+	KEY_VAULT_ID=$(az keyvault show --name $KEY_VAULT_NAME --query id --output tsv)
+	az role assignment create --role "Key Vault Secrets Officer" --assignee "$USER_PRINCIPAL_NAME" --scope "$KEY_VAULT_ID"
+	```
+
+	# [Azure PowerShell](#tab/azure-powershell)
+
+	```azurepowershell-interactive
+	$KeyVault=Get-AzKeyVault -VaultName $KeyVaultName
+	New-AzRoleAssignment -SignInName "$UserPrincipalName" -RoleDefinitionName "Key Vault Secrets Officer" -Scope $KeyVault.ResourceID
+	```
+
+	---
+
+1. Store your container registry password in the key vault.
+
+	Replace `<REGISTRY_PASSWORD>` with your value.
+
+	# [Bash](#tab/bash)
+
+	```bash
+	az keyvault secret set --vault-name $KEY_VAULT_NAME --name $SECRET_NAME --value "<REGISTRY_PASSWORD>"
+	```
+
+	# [Azure PowerShell](#tab/azure-powershell)
+
+	```azurepowershell-interactive
+	$Secret = ConvertTo-SecureString -String "<REGISTRY_PASSWORD>" -AsPlainText -Force
+	Set-AzKeyVaultSecret -VaultName "$KeyVaultName" -Name "$SecretName" -SecretValue "$Secret"
+	```
+
+	---
+
+1. Retrieve your container registry password from the key vault.
+
+	# [Bash](#tab/bash)
+
+	```bash
+	REGISTRY_PASSWORD=$(az keyvault secret show --name $SECRET_NAME --vault-name $KEY_VAULT_NAME --query value --output tsv)
+	```
+
+	# [Azure PowerShell](#tab/azure-powershell)
+
+	```azurepowershell-interactive
+	$RegistryPassword = Get-AzKeyVaultSecret -VaultName "$KeyVaultName" -Name "$SecretName" -AsPlainText
+	```
+
+	---
+
+1. Deploy a container image to Azure Container Apps.
+
+	# [Bash](#tab/bash)
+
+	```azurecli-interactive
+	az containerapp create \
+	  --name $CONTAINER_APP_NAME \
+	  --location $LOCATION \
+	  --resource-group $RESOURCE_GROUP \
+	  --image $CONTAINER_IMAGE_NAME \
+	  --environment $CONTAINERAPPS_ENVIRONMENT \
+	  --registry-server $REGISTRY_SERVER \
+	  --registry-username $REGISTRY_USERNAME \
+	  --registry-password $REGISTRY_PASSWORD
+	```
+
+	If you have enabled ingress on your container app, you can add `--query properties.configuration.ingress.fqdn` to the `create` command to return the public URL for the application.
+
+	# [Azure PowerShell](#tab/azure-powershell)
+
+	```azurepowershell-interactive
+	$EnvId = (Get-AzContainerAppManagedEnv -ResourceGroupName $ResourceGroupName -EnvName $ContainerAppsEnvironment).Id
+	```
+
+	```azurepowershell-interactive
+	$TemplateObj = New-AzContainerAppTemplateObject -Name $ContainerAppName -Image $ContainerImageName
+	```
+
+	```azurepowershell-interactive
+	$RegistrySecretObj = New-AzContainerAppSecretObject -Name $SecretName -Value $RegistryPassword
+	```
+
+	```azurepowershell-interactive
+	$RegistryArgs = @{
+		PasswordSecretRef = $SecretName
+		Server = $RegistryServer
+		Username = $RegistryUsername
+	}
+	```
+
+	```azurepowershell-interactive
+	$RegistryObj = New-AzContainerAppRegistryCredentialObject @RegistryArgs
+	```
+
+	```azurepowershell-interactive
+	$ContainerAppArgs = @{
+		Name = $ContainerAppName
+		Location = $Location
+		ResourceGroupName = $ResourceGroupName
+		ManagedEnvironmentId = $EnvId
+		TemplateContainer = $TemplateObj
+		ConfigurationRegistry = $RegistryObj
+		ConfigurationSecret = $RegistrySecretObj
+	}
+	```
+
+	```azurepowershell-interactive
+	New-AzContainerApp @ContainerAppArgs
+	```
+
+	---
 
 ::: zone-end
 
 ::: zone pivot="container-apps-public-registry"
 
-# [Bash](#tab/bash)
+1. Set the environment variables.
 
-```azurecli-interactive
-az containerapp create \
-  --image <REGISTRY_CONTAINER_NAME> \
-  --name my-container-app \
-  --resource-group $RESOURCE_GROUP \
-  --environment $CONTAINERAPPS_ENVIRONMENT
+	# [Bash](#tab/bash)
 
-If you have enabled ingress on your container app, you can add `--query properties.configuration.ingress.fqdn` to the `create` command to return the public URL for the application.
+	```bash
+	CONTAINER_APP_NAME=my-container-app
+	CONTAINER_IMAGE_NAME=mcr.microsoft.com/k8se/quickstart:latest
+	```
 
-```
+	# [Azure PowerShell](#tab/azure-powershell)
 
-# [Azure PowerShell](#tab/azure-powershell)
+	```azurepowershell-interactive
+	$ContainerAppName = "my-container-app"
+	$ContainerImageName = "mcr.microsoft.com/k8se/quickstart:latest"
+	```
 
-```azurepowershell-interactive
-$TemplateObj = New-AzContainerAppTemplateObject -Name my-container-app  -Image "<REGISTRY_CONTAINER_NAME>"
-```
+1. Deploy a container image to Azure Container Apps.
 
-(Replace the \<REGISTRY_CONTAINER_NAME\> with your value.)
+	# [Bash](#tab/bash)
 
-```azurepowershell-interactive
-$EnvId = (Get-AzContainerAppManagedEnv -ResourceGroupName $ResourceGroupName -EnvName $ContainerAppsEnvironment).Id
-
-$ContainerAppArgs = @{
-    Name = "my-container-app"
-    Location = $Location
-    ResourceGroupName = $ResourceGroupName
-    ManagedEnvironmentId = $EnvId
-    TemplateContainer = $TemplateObj
-}
-New-AzContainerApp @ContainerAppArgs
-```
+	```azurecli-interactive
+	az containerapp create \
+	  --image $CONTAINER_IMAGE_NAME \
+	  --name $CONTAINER_APP_NAME \
+	  --resource-group $RESOURCE_GROUP \
+	  --environment $CONTAINERAPPS_ENVIRONMENT
+	```
 
----
+	If you have enabled ingress on your container app, you can add `--query properties.configuration.ingress.fqdn` to the `create` command to return the public URL for the application.
+
+	# [Azure PowerShell](#tab/azure-powershell)
+
+	```azurepowershell-interactive
+	$TemplateObj = New-AzContainerAppTemplateObject -Name $ContainerAppName  -Image $ContainerImageName
+	```
+
+	```azurepowershell-interactive
+	$EnvId = (Get-AzContainerAppManagedEnv -ResourceGroupName $ResourceGroupName -EnvName $ContainerAppsEnvironment).Id
+	```
 
-Before you run this command, replace `<REGISTRY_CONTAINER_NAME>` with the full name the public container registry location, including the registry path and tag. For example, a valid container name is `mcr.microsoft.com/k8se/quickstart:latest`.
+	```azurepowershell-interactive
+	$ContainerAppArgs = @{
+		Name = $ContainerAppName
+		Location = $Location
+		ResourceGroupName = $ResourceGroupName
+		ManagedEnvironmentId = $EnvId
+		TemplateContainer = $TemplateObj
+	}
+	```
+
+	```azurepowershell-interactive
+	New-AzContainerApp @ContainerAppArgs
+	```
+
+---
 
 ::: zone-end
 
@@ -173,14 +285,14 @@ LOG_ANALYTICS_WORKSPACE_CLIENT_ID=`az containerapp env show --name $CONTAINERAPP
 
 az monitor log-analytics query \
   --workspace $LOG_ANALYTICS_WORKSPACE_CLIENT_ID \
-  --analytics-query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'my-container-app' | project ContainerAppName_s, Log_s, TimeGenerated" \
+  --analytics-query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == $CONTAINER_APP_NAME | project ContainerAppName_s, Log_s, TimeGenerated" \
   --out table
 ```
 
 # [Azure PowerShell](#tab/azure-powershell)
 
 ```azurepowershell-interactive
-$queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceId -Query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'my-container-app' | project ContainerAppName_s, Log_s, TimeGenerated"
+$queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceId -Query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == $ContainerAppName | project ContainerAppName_s, Log_s, TimeGenerated"
 $queryResults.Results
 ```
 
diff --git a/includes/container-apps-set-environment-variables.md b/includes/container-apps-set-environment-variables.md
@@ -8,7 +8,7 @@ ms.author: cshoe
 
 ## Set environment variables
 
-Set the following environment variables. Replace \<PLACEHOLDERS\> with your values:
+Set the following environment variables. Replace the `<PLACEHOLDERS>` with your values:
 
 # [Bash](#tab/bash)
 
