How-To: Connect a container to an Azure resource
Categories:
This how-to guide will provide an overview of how to:
- Setup a Radius Environment with an identity provider
- Define a connection to an Azure resource with Azure AD role-based access control (RBAC) assignments
- Leverage Azure managed identities to connect to an Azure resource
The steps below will showcase a “rad-ified” version of the existing Azure AD workload identity quickstart.
Prerequisites
- rad CLI
- Bicep VSCode extension
- Setup a supported Kubernetes cluster
- Azure AD Workload Identity installed in your cluster, including the Mutating Admission Webhook
Step 1: Initialize Radius
Begin by running rad init --full
. Make sure to configure an Azure cloud provider:
rad init --full
Select ‘No’ when asked to setup application in the current directory.
Step 2: Create a bicepconfig.json
in your application’s directory
- Create a
bicepconfig.json
in your application’s directory.release-version
should correspond to the current release version in the form ofmajor.minor
(e.g.0.36
).
{
"experimentalFeaturesEnabled": {
"extensibility": true
},
"extensions": {
"radius": "br:biceptypes.azurecr.io/radius:<release-version>",
"aws": "br:biceptypes.azurecr.io/aws:<release-version>"
}
}
More information on how to setup a bicepconfig.json
can be found here
Step 3: Define a Radius Environment
Create a file named app.bicep
and define a Radius Environment with identity property set. This configures your environment to use your Azure AD workload identity installation with your cluster’s OIDC endpoint:
extension radius
@description('The Azure region to deploy Azure resource(s) into. Defaults to the region of the target Azure resource group.')
param azLocation string = resourceGroup().location
@description('Specifies the OIDC issuer URL')
param oidcIssuer string
resource env 'Applications.Core/environments@2023-10-01-preview' = {
name: 'iam-quickstart'
properties: {
compute: {
kind: 'kubernetes'
resourceId: 'self'
namespace: 'iam-quickstart'
identity: {
kind: 'azure.com.workload'
oidcIssuer: oidcIssuer
}
}
providers: {
azure: {
scope: resourceGroup().id
}
}
}
}
Step 4: Define an app and a container
Add a Radius Application, a Radius container, and an Azure Key Vault to your app.bicep
file. Note the connection from the container to the Key Vault, with an iam property set for the Azure AD RBAC role:
resource app 'Applications.Core/applications@2023-10-01-preview' = {
name: 'myapp'
properties: {
environment: env.id
}
}
resource container 'Applications.Core/containers@2023-10-01-preview' = {
name: 'mycontainer'
properties: {
application: app.id
container: {
image: 'ghcr.io/azure/azure-workload-identity/msal-go:latest'
env: {
KEYVAULT_NAME: {
value: keyvault.name
}
KEYVAULT_URL: {
value: keyvault.properties.vaultUri
}
SECRET_NAME: {
value: 'mysecret'
}
}
}
connections: {
vault: {
source: keyvault.id
iam: {
kind: 'azure'
roles: [
'Key Vault Secrets User'
]
}
}
}
}
}
resource keyvault 'Microsoft.KeyVault/vaults@2021-10-01' = {
name: 'qs-${uniqueString(resourceGroup().id)}'
location: azLocation
properties: {
enabledForTemplateDeployment: true
tenantId: subscription().tenantId
enableRbacAuthorization: true
sku: {
name: 'standard'
family: 'A'
}
}
resource mySecret 'secrets' = {
name: 'mysecret'
properties: {
value: 'supersecret'
}
}
}
Step 5: Deploy the app and container
Deploy your app by specifying the OIDC issuer URL. To retrieve the OIDC issuer URL, follow the Azure Workload Identity installation guide.
rad deploy ./app.bicep -p oidcIssuer=<OIDC_ISSUER_URL>
Step 6: Verify access to the Key Vault
-
Once deployment completes, read the logs from your running container resource:
rad resource logs containers mycontainer -a myapp
-
You should see the contents of the secret from your Key Vault:
[myapp-mycontainer-79c54bd7c7-tgdpn] I1108 18:39:53.636314 1 main.go:33] "successfully got secret" secret="supersecret"
Note: the container retrieves the secret every 60 seconds. If you get an error on the first attempt, wait a minute and try again. The Azure AD federation may still be in progress.
Cleanup
-
Run the following command to delete your app and container:
rad app delete myapp --yes
-
Delete the deployed Azure Key Vault via the Azure portal or the Azure CLI
Feedback
Was this page helpful?
Glad to hear it! Please feel free to star our repo and join our Discord server to stay up to date with the project.
Sorry to hear that. If you would like to also contribute a suggestion visit and tell us how we can improve.