How-To: Connect a container to an Azure resource

Learn how to connect a container to an Azure resource with managed identities and RBAC
Categories:
Tags:

This how-to guide will provide an overview of how to:

  • Setup a Radius Environment with an identity provider
  • Define a connection to an Azure resource with Azure AD role-based access control (RBAC) assignments
  • Leverage Azure managed identities to connect to an Azure resource

The steps below will showcase a “rad-ified” version of the existing Azure AD workload identity quickstart.

Prerequisites

Step 1: Initialize Radius

Begin by running rad init --full. Make sure to configure an Azure cloud provider:

rad init --full

Step 2: Define a Radius Environment

Create a file named app.bicep and define a Radius Environment with identity property set. This configures your environment to use your Azure AD workload identity installation with your cluster’s OIDC endpoint:

import radius as radius

@description('The Azure region to deploy Azure resource(s) into. Defaults to the region of the target Azure resource group.')
param azLocation string = resourceGroup().location

@description('Specifies the OIDC issuer URL')
param oidcIssuer string

resource env 'Applications.Core/environments@2023-10-01-preview' = {
  name: 'iam-quickstart'
  properties: {
    compute: {
      kind: 'kubernetes'
      resourceId: 'self'
      namespace: 'iam-quickstart'
      identity: {
        kind: 'azure.com.workload'
        oidcIssuer: oidcIssuer
      }
    }
    providers: {
      azure: {
        scope: resourceGroup().id
      }
    }
  }
}

Step 3: Define an app and a container

Add a Radius Application, a Radius container, and an Azure Key Vault to your app.bicep file. Note the connection from the container to the Key Vault, with an iam property set for the Azure AD RBAC role:

resource app 'Applications.Core/applications@2023-10-01-preview' = {
  name: 'myapp'
  properties: {
    environment: env.id
  }
}

resource container 'Applications.Core/containers@2023-10-01-preview' = {
  name: 'mycontainer'
  properties: {
    application: app.id
    container: {
      image: 'ghcr.io/azure/azure-workload-identity/msal-go:latest'
      env: {
        KEYVAULT_NAME: keyvault.name
        KEYVAULT_URL: keyvault.properties.vaultUri
        SECRET_NAME: 'mysecret'
      }
    }
    connections: {
      vault: {
        source: keyvault.id
        iam: {
          kind: 'azure'
          roles: [
            'Key Vault Secrets User'
          ]
        }
      }
    }
  }
}

resource keyvault 'Microsoft.KeyVault/vaults@2021-10-01' = {
  name: 'qs-${uniqueString(resourceGroup().id)}'
  location: azLocation
  properties: {
    enabledForTemplateDeployment: true
    tenantId: subscription().tenantId
    enableRbacAuthorization: true
    sku: {
      name: 'standard'
      family: 'A'
    }
  }
  resource mySecret 'secrets' = {
    name: 'mysecret'
    properties: {
      value: 'supersecret'
    }
  }
}

Step 4: Deploy the app and container

Deploy your app by specifying the OIDC issuer URL. To retrieve the OIDC issuer URL, follow the Azure Workload Identity installation guide.

rad deploy ./app.bicep -p oidcIssuer=<OIDC_ISSUER_URL>

Step 5: Verify access to the Key Vault

  1. Once deployment completes, read the logs from your running container resource:

    rad resource logs containers mycontainer -a myapp

  2. You should see the contents of the secret from your Key Vault:

    [myapp-mycontainer-79c54bd7c7-tgdpn] I1108 18:39:53.636314       1 main.go:33] "successfully got secret" secret="supersecret"

    Note: the container retrieves the secret every 60 seconds. If you get an error on the first attempt, wait a minute and try again. The Azure AD federation may still be in progress.

Cleanup

  1. Run the following command to delete your app and container:

    rad app delete myapp --yes

  2. Delete the deployed Azure Key Vault via the Azure portal or the Azure CLI