Merge pull request #277229 from vturecek/capps-msi-keda

Container Apps: KEDA and identity settings

Author: prmerger-automator[bot]

articles/container-apps/managed-identity.md

@@ -46,8 +46,7 @@ User-assigned identities are ideal for workloads that:
 
 ## Limitations
 
-- Managed identities in scale rules isn't supported. You need to include connection strings or keys in the `secretRef` of the scaling rule.
-- [Init containers](containers.md#init-containers) can't access managed identities.
+[Init containers](containers.md#init-containers) can't access managed identities in [consumption-only environments](environment.md#types) and [dedicated workload profile environments](environment.md#types)
 
 ## Configure managed identities
 
@@ -351,6 +350,98 @@ To get a token for a resource, make an HTTP `GET` request to the endpoint, inclu
 
 ---
 
+## Use managed identity for scale rules
+
+Starting in API version `2024-02-02-preview`, you can use managed identities in your scale rules to authenticate with Azure services that support managed identities. To use a managed identity in your scale rule, use the `identity` property instead of the `auth` property in your scale rule. Acceptable values for the `identity` property are either the Azure resource ID of a user-assigned identity, or `system` to use a system-assigned identity
+
+The following example shows how to use a managed identities with an Azure Queue Storage scale rule. The queue storage account uses the `accountName` property to identify the storage account, while the `identity` property specifies which managed identity to use. You do not need to use the `auth` property.
+
+```json
+"scale": {
+    "minReplicas": 1,
+    "maxReplicas": 10,
+    "rules": [{
+        "name": "myQueueRule",
+        "azureQueue": {
+            "accountName": "mystorageaccount",
+            "queueName": "myqueue",
+            "queueLength": 2,
+            "identity": "<IDENTITY1_RESOURCE_ID>"
+        }
+    }]
+}
+```
+
+## Control managed identity availability
+
+Container Apps allow you to specify [init containers](containers.md#init-containers) and main containers. By default, both main and init containers in a consumption workload profile environment can use managed identity to access other Azure services. In consumption-only environments and dedicated workload profile environments, only main containers can use managed identity. Managed identity access tokens are available for every managed identity configured on the container app. However, in some situations only the init container or the main container require access tokens for a managed identity. Other times, you may use a managed identity only to access your Azure Container Registry to pull the container image, and your application itself doesn't need to have access to your Azure Container Registry.
+
+Starting in API version `2024-02-02-preview`, you can control which managed identities are available to your container app during the init and main phases to follow the security principle of least privilege. The following options are available:
+
+- `Init`: available only to init containers. Use this when you want to perform some intilization work that requires a managed identity, but you no longer need the managed identity in the main container. This option is currently only supported in [workload profile consumption environments](environment.md#types)
+- `Main`: available only to main containers. Use this if your init container does not need managed identity.
+- `All`: available to all containers. This is the default setting.
+- `None`: not available to any containers. Use this when you have a managed identity that is only used for ACR image pull, scale rules, or Key Vault secrets and does not need to be available to the code running in your containers.
+
+The following example shows how to configure a container app on a workload profile consumption environment that:
+
+- Restricts the container app's system-assigned identity to main containers only.
+- Restricts a specific user-assigned identity to init containers only.
+- Uses a specific user-assigned identity for Azure Container Registry image pull without allowing the code in the containers to use that managed identity to access the registry. In this example, the containers themselves don't need to access the registry.
+
+This approach limits the resources that can be accessed if a malicious actor were to gain unauthorized access to the containers.
+
+```json
+{
+    "location": "eastus2",
+    "identity":{
+    "type": "SystemAssigned, UserAssigned",
+        "userAssignedIdentities": {
+            "<IDENTITY1_RESOURCE_ID>":{},
+            "<ACR_IMAGEPULL_IDENTITY_RESOURCE_ID>":{}
+         }
+     },
+    "properties": {
+        "workloadProfileName":"Consumption",
+        "environmentId": "<CONTAINER_APPS_ENVIRONMENT_ID>",
+        "configuration": {
+            "registries": [
+            {
+                "server": "myregistry.azurecr.io",
+                "identity": "ACR_IMAGEPULL_IDENTITY_RESOURCE_ID"
+            }],
+            "identitySettings":[
+            {
+                "identity": "ACR_IMAGEPULL_IDENTITY_RESOURCE_ID",
+                "lifecycle": "none"
+            },
+            {
+                "identity": "<IDENTITY1_RESOURCE_ID>",
+                "lifecycle": "init"
+            },
+            {
+                "identity": "system",
+                "lifecycle": "main"
+            }]
+        },
+        "template": {
+            "containers":[
+                {
+                    "image":"myregistry.azurecr.io/main:1.0",
+                    "name":"app-main"
+                }
+            ],
+            "initContainers":[
+                {
+                    "image":"myregistry.azurecr.io/init:1.0",
+                    "name":"app-init",
+                }
+            ]
+        }
+    }
+}
+```
+
 ## View managed identities
 
 You can show the system-assigned and user-assigned managed identities using the following Azure CLI command. The output shows the managed identity type, tenant IDs and principal IDs of all managed identities assigned to your container app.