Skip to content

ACA Container volumes use shared access keys #8939

@eerhardt

Description

@eerhardt

When using container volumes in an ACA app, we are generating an Azure Storage account for storing those volumes.

However, the way the access from ACA to this storage account happens is via access keys:

var keysExpr = storageVolume.GetKeys()[0].Compile();
var keyValue = new MemberExpression(keysExpr, "value");
var containerAppStorage = new ContainerAppManagedEnvironmentStorage(managedStorageName)
{
Parent = containerAppEnvironment,
ManagedEnvironmentStorageAzureFile = new()
{
ShareName = share.Name,
AccountName = storageVolume.Name,
AccountKey = keyValue,
AccessMode = ContainerAppAccessMode.ReadWrite
}
};

This means that an Azure Storage account is created that allows shared key access, which may trigger security rules in environments that don't want to allow Azure Storage accounts with access keys.

We should be using managed identities here instead, to allow communication between the ACA container and the Storage account.

Metadata

Metadata

Assignees

Labels

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions