Skip to content

ACA Container volumes use shared access keys #8939

New issue
New issue
Open
Feature
Open
ACA Container volumes use shared access keys#8939
Feature
Labels
area-integrationsIssues pertaining to Aspire Integrations packagesazureIssues associated specifically with scenarios tied to using Azuresecurity 🔐
@eerhardt

Description

@eerhardt
eerhardt
opened on Apr 23, 2025

When using container volumes in an ACA app, we are generating an Azure Storage account for storing those volumes.

However, the way the access from ACA to this storage account happens is via access keys:

aspire/src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppExtensions.cs

Lines 202 to 215 in 8fd92af

var keysExpr = storageVolume.GetKeys()[0].Compile();
var keyValue = new MemberExpression(keysExpr, "value");
var containerAppStorage = new ContainerAppManagedEnvironmentStorage(managedStorageName)
{
Parent = containerAppEnvironment,
ManagedEnvironmentStorageAzureFile = new()
{
ShareName = share.Name,
AccountName = storageVolume.Name,
AccountKey = keyValue,
AccessMode = ContainerAppAccessMode.ReadWrite
}
};

This means that an Azure Storage account is created that allows shared key access, which may trigger security rules in environments that don't want to allow Azure Storage accounts with access keys.

We should be using managed identities here instead, to allow communication between the ACA container and the Storage account.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-integrationsIssues pertaining to Aspire Integrations packagesazureIssues associated specifically with scenarios tied to using Azuresecurity 🔐

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions