Mount a secret volume in Azure Container Instances
Use a secret volume to supply sensitive information to the containers in a container group. The secret volume stores your secrets in files within the volume, accessible by the containers in the container group. By storing secrets in a secret volume, you can avoid adding sensitive data like SSH keys or database credentials to your application code.
- Once deployed with secrets in a container group, a secret volume is read-only.
- Tmpfs, a RAM-backed filesystem, backs all secret volumes; their contents are never written to nonvolatile storage.
Note
Secret volumes are currently restricted to Linux containers. Learn how to pass secure environment variables for both Windows and Linux containers in Set environment variables. While we're working to bring all features to Windows containers, you can find current platform differences in the overview.
Mount secret volume - Azure CLI
To deploy a container with one or more secrets by using the Azure CLI, include the --secrets and --secrets-mount-path parameters in the az container create command. This example mounts a secret volume consisting of two files containing secrets, "mysecret1" and "mysecret2," at /mnt/secrets:
az container create \
--resource-group myResourceGroup \
--name secret-volume-demo \
--image mcr.microsoft.com/azuredocs/aci-helloworld \
--secrets mysecret1="My first secret FOO" mysecret2="My second secret BAR" \
--secrets-mount-path /mnt/secrets
The following az container exec output shows opening a shell in the running container, listing the files within the secret volume, then displaying their contents:
az container exec \
--resource-group myResourceGroup \
--name secret-volume-demo --exec-command "/bin/sh"
/usr/src/app # ls /mnt/secrets
mysecret1
mysecret2
/usr/src/app # cat /mnt/secrets/mysecret1
My first secret FOO
/usr/src/app # cat /mnt/secrets/mysecret2
My second secret BAR
/usr/src/app # exit
Bye.
Mount secret volume - YAML
You can also deploy container groups with the Azure CLI and a YAML template. Deploying by YAML template is the preferred method when deploying container groups consisting of multiple containers.
When you deploy with a YAML template, the secret values must be Base64-encoded in the template. However, the secret values appear in plaintext within the files in the container.
The following YAML template defines a container group with one container that mounts a secret volume at /mnt/secrets. The secret volume has two files containing secrets, "mysecret1" and "mysecret2."
apiVersion: '2019-12-01'
location: eastus
name: secret-volume-demo
properties:
containers:
- name: aci-tutorial-app
properties:
environmentVariables: []
image: mcr.microsoft.com/azuredocs/aci-helloworld:latest
ports: []
resources:
requests:
cpu: 1.0
memoryInGB: 1.5
volumeMounts:
- mountPath: /mnt/secrets
name: secretvolume1
osType: Linux
restartPolicy: Always
volumes:
- name: secretvolume1
secret:
mysecret1: TXkgZmlyc3Qgc2VjcmV0IEZPTwo=
mysecret2: TXkgc2Vjb25kIHNlY3JldCBCQVIK
tags: {}
type: Microsoft.ContainerInstance/containerGroups
To deploy with the YAML template, save the preceding YAML to a file named deploy-aci.yaml, then execute the az container create command with the --file parameter:
# Deploy with YAML template
az container create \
--resource-group myResourceGroup \
--file deploy-aci.yaml
Mount secret volume - Resource Manager
In addition to CLI and YAML deployment, you can deploy a container group using an Azure Resource Manager template.
First, populate the volumes array in the container group properties section of the template. When you deploy with a Resource Manager template, the secret values must be Base64-encoded in the template. However, the secret values appear in plaintext within the files in the container.
Next, for each container in the container group in which you'd like to mount the secret volume, populate the volumeMounts array in the properties section of the container definition.
The following Resource Manager template defines a container group with one container that mounts a secret volume at /mnt/secrets. The secret volume has two secrets, "mysecret1" and "mysecret2."
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"container1name": "aci-tutorial-app",
"container1image": "microsoft/aci-helloworld:latest"
},
"resources": [
{
"type": "Microsoft.ContainerInstance/containerGroups",
"apiVersion": "2021-03-01",
"name": "secret-volume-demo",
"location": "[resourceGroup().location]",
"properties": {
"containers": [
{
"name": "[variables('container1name')]",
"properties": {
"image": "[variables('container1image')]",
"resources": {
"requests": {
"cpu": 1,
"memoryInGb": 1.5
}
},
"ports": [
{
"port": 80
}
],
"volumeMounts": [
{
"name": "secretvolume1",
"mountPath": "/mnt/secrets"
}
]
}
}
],
"osType": "Linux",
"ipAddress": {
"type": "Public",
"ports": [
{
"protocol": "tcp",
"port": "80"
}
]
},
"volumes": [
{
"name": "secretvolume1",
"secret": {
"mysecret1": "TXkgZmlyc3Qgc2VjcmV0IEZPTwo=",
"mysecret2": "TXkgc2Vjb25kIHNlY3JldCBCQVIK"
}
}
]
}
}
]
}
To deploy with the Resource Manager template, save the preceding JSON to a file named deploy-aci.json, then execute the az deployment group create command with the --template-file parameter:
# Deploy with Resource Manager template
az deployment group create \
--resource-group myResourceGroup \
--template-file deploy-aci.json
Next steps
Volumes
Learn how to mount other volume types in Azure Container Instances:
- Mount an Azure file share in Azure Container Instances
- Mount an emptyDir volume in Azure Container Instances
- Mount a gitRepo volume in Azure Container Instances
Secure environment variables
Another method for providing sensitive information to containers (including Windows containers) is by using secure environment variables.