Azure Container Apps has rolled out support for Azure Key Vault certificates on both the individual app and environment levels. This improvement makes it easier than ever for developers to manage authentication and certificates for their applications. This blog post will introduce certificate management in Container Apps and the benefits of storing your credentials in Key Vault. For detailed documentation on this feature, check here.
Intro to certificate management
Secure communication across services requires the constant management of information such as secrets, credentials, certificates, and keys. They have to be maintained with regular updates, renewals, and monitoring. Vulnerabilities like pushing a private connection string to the cloud are easy to create but difficult to detect and fix.
Container Apps has always provided options for certificate management such as Container App Managed Certificates. The support for Key Vault improves on that because it simplifies tasks like autorotation and follows security best practices by using managed identities to manage certificates.
Why Key Vault?
Key Vault’s certificate management service is powerful and comprehensive, allowing for everything from automatic renewal to setting up notifications around lifecycle events. That means that once a developer has integrated Key Vault into their project, they can stop thinking about maintaining the security of their application and focus on writing code.
Access to Key Vault leverages managed identities, which follows Azure security best practices.
Get started with certificate management
Now, we will walk through an overview of how to connect to Azure Key Vault using the Azure CLI and Portal. To follow this tutorial, you will need a Key Vault, certificate, and an environment-level managed identity – all with correct permissions configured. Detailed documentation, including how to set-up necessary resources and permissions, can be found here.
Portal
Navigate to your Container Apps Environment and open the ‘Certificates’ blade. Navigate to the ‘Bring your own certificates (.pfx)’ tab.
Select ‘Add certificate’ and for ‘Source’, select ‘Import from Key Vault’. Go through the process of selecting your Key Vault and certificate.
You will then be asked for the managed identity you want to use for authentication. You will be able to use either a System assigned or User assigned identity. Click ‘Add’ and if all permissions are correctly configured for your Key Vault and managed identity, your certificate should be successfully imported.
CLI
If you haven't already, download version 0.3.49 or higher of the containerapp extension to the Azure CLI. Check the version of your extension with this command:
az extension list-available --output table | findstr containerapp
Run the following CLI command to add a certificate:
az containerapp env certificate upload [--akv-url]
[--certificate-file]
[--certificate-identity]
[--certificate-name]
[--ids]
[--location]
[--name]
[--password]
[--resource-group]
[--show-prompt]
[--subscription]
Next steps
Congratulations, you have just set up certificate management through Key Vault for your application! You should now have a better understanding of the benefits of certificate management for your Container App. Thank you for reading!
Want to learn more? You can...
- Review the Azure Container Apps docs.
- Learn more about pricing details from the Azure Container Apps pricing page.
- Reach us directly at any time via our GitHub microsoft/azure-container-apps repo.
- Connect with the Azure Container Apps team on Twitter and Discord.
Updated May 14, 2024
Version 2.0
JiachenJiang
Microsoft
Microsoft
