Skip to content

ACA Container volumes use shared access keys #8939

New issue
New issue
Open
Feature
Open
ACA Container volumes use shared access keys#8939
Feature
Assignees
eerhardt
Labels
Azure.ProvisioningIssues with the Azure.Provisioning librarise (nee Azure CDK)area-deploymentazureIssues associated specifically with scenarios tied to using Azureazure-container-appssecurity 🔐
Milestone
 
Backlog
@eerhardt

Description

@eerhardt
eerhardt
opened on Apr 23, 2025

When using container volumes in an ACA app, we are generating an Azure Storage account for storing those volumes.

However, the way the access from ACA to this storage account happens is via access keys:

aspire/src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppExtensions.cs

Lines 202 to 215 in 8fd92af

var keysExpr = storageVolume.GetKeys()[0].Compile();
var keyValue = new MemberExpression(keysExpr, "value");
var containerAppStorage = new ContainerAppManagedEnvironmentStorage(managedStorageName)
{
Parent = containerAppEnvironment,
ManagedEnvironmentStorageAzureFile = new()
{
ShareName = share.Name,
AccountName = storageVolume.Name,
AccountKey = keyValue,
AccessMode = ContainerAppAccessMode.ReadWrite
}
};

This means that an Azure Storage account is created that allows shared key access, which may trigger security rules in environments that don't want to allow Azure Storage accounts with access keys.

We should be using managed identities here instead, to allow communication between the ACA container and the Storage account.

Metadata

Metadata

Assignees

Labels

Azure.ProvisioningIssues with the Azure.Provisioning librarise (nee Azure CDK)area-deploymentazureIssues associated specifically with scenarios tied to using Azureazure-container-appssecurity 🔐

Type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions