Azure Container Apps has rolled out support for Azure Key Vault certificates on both the individual app and environment levels. This improvement makes it easier than ever for developers to manage authentication and certificates for their applications. This blog post will introduce certificate management in Container Apps and the benefits of storing your credentials in Key Vault. For detailed documentation on this feature, check here.
Secure communication across services requires the constant management of information such as secrets, credentials, certificates, and keys. They have to be maintained with regular updates, renewals, and monitoring. Vulnerabilities like pushing a private connection string to the cloud are easy to create but difficult to detect and fix.
Container Apps has always provided options for certificate management such as Container App Managed Certificates. The support for Key Vault improves on that because it simplifies tasks like autorotation and follows security best practices by using managed identities to manage certificates.
Key Vault’s certificate management service is powerful and comprehensive, allowing for everything from automatic renewal to setting up notifications around lifecycle events. That means that once a developer has integrated Key Vault into their project, they can stop thinking about maintaining the security of their application and focus on writing code.
Access to Key Vault leverages managed identities, which follows Azure security best practices.
Now, we will walk through an overview of how to connect to Azure Key Vault using the Azure CLI and Portal. To follow this tutorial, you will need a Key Vault, certificate, and an environment-level managed identity – all with correct permissions configured. Detailed documentation, including how to set-up necessary resources and permissions, can be found here.
Navigate to your Container Apps Environment and open the ‘Certificates’ blade. Navigate to the ‘Bring your own certificates (.pfx)’ tab.
Select ‘Add certificate’ and for ‘Source’, select ‘Import from Key Vault’. Go through the process of selecting your Key Vault and certificate.
You will then be asked for the managed identity you want to use for authentication. You will be able to use either a System assigned or User assigned identity. Click ‘Add’ and if all permissions are correctly configured for your Key Vault and managed identity, your certificate should be successfully imported.
If you haven't already, download version 0.3.49 or higher of the containerapp extension to the Azure CLI. Check the version of your extension with this command:
az extension list-available --output table | findstr containerapp
Run the following CLI command to add a certificate:
az containerapp env certificate upload [--akv-url]
[--certificate-file]
[--certificate-identity]
[--certificate-name]
[--ids]
[--location]
[--name]
[--password]
[--resource-group]
[--show-prompt]
[--subscription]
Congratulations, you have just set up certificate management through Key Vault for your application! You should now have a better understanding of the benefits of certificate management for your Container App. Thank you for reading!
Want to learn more? You can...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.