Azure Marketplace Application offering with secrets for Container Registry access

AGA 5 Reputation points
2024-10-02T11:58:39.7066667+00:00

I'm creating an Azure Marketplace Application offering that includes the provisioning of Azure Container Apps to customers' tenants. These Container Apps must pull their image from an Azure Container Registry on my tenant (publisher).

I have trouble finding the correct way to handle the secrets/passwords needed for this scenario since I don't want them exposed anywhere. There are a couple of possible solutions I have thought of, but each one still has black holes for my current knowledge:

  • Entra IDs are tenant-scoped, so it is not possible to assign an identity from our publisher tenant to the Container App to be deployed on a customer tenant unless explicit cross-tenant access or trust is established, which is undoable on an Azure Marketplace offering scenario
  • A KeyVault could be used to store the token or any secret needed. However, once again, as the KeyVault will be in our publisher tenant, we would not be able to grant the necessary access to the deployment process, making this option unusable
  • The best solution so far: create an App registration exclusively to pull images from my ACR, assign a managed identity with AcrPull role over the ACR, create a secret, and disclose that secret on my mainTemplate.json file, or the parameters file. This is the less risky option I have come up with since the worst-case scenario is a hack on a pretty useless App registration, other than being able to pull an image from a specific ACR

I'm pretty sure this is by no means anything out of the ordinary for Azure Marketplace offerings, but I'm struggling here. I'm researching on my own, but in the meantime maybe someone can turn the light on for this subject.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,331 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
472 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Sam Cogan 10,757 Reputation points MVP
    2024-10-03T08:09:49.0766667+00:00

    Your last option is mostly the way to do it. The only way you can do cross-tenant authentication is to create a service principle in your tenant and use it in the customer tenant to pull images. Rather than hardcoding this in your ARM template, you can have your template read it from a Key Vault in your tenant at the time of the deployment. This tutorial provides details on how you can set that up.

    You will need to create a process to be able to rotate that secret later, as this will not be handled by the managed app.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.