I'm creating an Azure Marketplace Application offering that includes the provisioning of Azure Container Apps to customers' tenants. These Container Apps must pull their image from an Azure Container Registry on my tenant (publisher).
I have trouble finding the correct way to handle the secrets/passwords needed for this scenario since I don't want them exposed anywhere. There are a couple of possible solutions I have thought of, but each one still has black holes for my current knowledge:
- Entra IDs are tenant-scoped, so it is not possible to assign an identity from our publisher tenant to the Container App to be deployed on a customer tenant unless explicit cross-tenant access or trust is established, which is undoable on an Azure Marketplace offering scenario
- A KeyVault could be used to store the token or any secret needed. However, once again, as the KeyVault will be in our publisher tenant, we would not be able to grant the necessary access to the deployment process, making this option unusable
- The best solution so far: create an App registration exclusively to pull images from my ACR, assign a managed identity with AcrPull role over the ACR, create a secret, and disclose that secret on my mainTemplate.json file, or the parameters file. This is the less risky option I have come up with since the worst-case scenario is a hack on a pretty useless App registration, other than being able to pull an image from a specific ACR
I'm pretty sure this is by no means anything out of the ordinary for Azure Marketplace offerings, but I'm struggling here. I'm researching on my own, but in the meantime maybe someone can turn the light on for this subject.