Hello again @Balanjaneyulu Kantu (Quadrant Technologies) . Follow these steps to get a working example:
- Go to the portal and open the Cloud Shell in bash mode
- Set the environment variables
export AZ_RESOURCE_GROUP_NAME="mfc-resource-group"
export AZ_KEY_VAULT_NAME="mfc-key-vault"
export AZ_SECRET_NAME="top-secret"
export AZ_SECRET_VALUE="Top secret"
export AZ_USER_IDENTITY_NAME="mfc-user-identity"
export AZ_CONTAINER_NAME="mfc-container"
- Double check all environment variables are set
env | grep AZ_
- Create the Resource Group
az group create \
--name $AZ_RESOURCE_GROUP_NAME \
--location eastus
- Create the Key Vault and get the resource id
az keyvault create \
--name $AZ_KEY_VAULT_NAME \
--resource-group $AZ_RESOURCE_GROUP_NAME \
--location eastus
AZ_KEY_VAULT_RESOURCE_ID=$(az keyvault show \
--name $AZ_KEY_VAULT_NAME \
--query id \
--output tsv)
- Assign to current user the role of Key Vault Administrator in order to add the secret
AZ_CURRENT_USER_PRINCIPAL_NAME=$(az ad signed-in-user show \
--query userPrincipalName \
--output tsv)
az role assignment create \
--role "Key Vault Key Vault Administrator" \
--assignee $AZ_CURRENT_USER_PRINCIPAL_NAME \
--scope $AZ_KEY_VAULT_RESOURCE_ID
- Add new secret
az keyvault secret set \
--name $AZ_SECRET_NAME \
--value "$AZ_SECRET_VALUE" \
--vault-name $AZ_KEY_VAULT_NAME
- Add an identity
az identity create \
--name $AZ_USER_IDENTITY_NAME \
--resource-group $AZ_RESOURCE_GROUP_NAME
- Get the principal id and the resource id of the identity
AZ_IDENTITY_PRINCIPAL_ID=$(az identity show \
--name $AZ_USER_IDENTITY_NAME \
--resource-group $AZ_RESOURCE_GROUP_NAME \
--query principalId \
--output tsv)
AZ_IDENTITY_RESOURCE_ID=$(az identity show \
--name $AZ_USER_IDENTITY_NAME \
--resource-group $AZ_RESOURCE_GROUP_NAME \
--query id \
--output tsv)
- Add a role assignment to the identity in the Key Vault
az role assignment create \
--role "Key Vault Secrets User" \
--assignee $AZ_IDENTITY_PRINCIPAL_ID \
--scope $AZ_KEY_VAULT_RESOURCE_ID
- Now, you can check the identity has the role in the Key Vault
- Create the Container. I used the azure-cli image with only the purpose to show the secret.
az container create \
--name $AZ_CONTAINER_NAME \
--resource-group $AZ_RESOURCE_GROUP_NAME \
--image mcr.microsoft.com/azure-cli \
--assign-identity $AZ_IDENTITY_RESOURCE_ID \
--restart-policy Never \
--command-line "/bin/sh -c \"az login --identity && az keyvault secret show --name $AZ_SECRET_NAME --vault-name $AZ_KEY_VAULT_NAME\""
- Wait for the container creation and check the log:
az container logs \
--name $AZ_CONTAINER_NAME \
--resource-group $AZ_RESOURCE_GROUP_NAME
Hope this helps,
Miguel.