Feature Request: Allow Secrets to use Managed Identities not linked to Service for app code usage about azure-container-apps HOT 4 CLOSED

@mvrius yes this makes sense, and you are correct today you can get a token for all managed identities that you assign to a Container App using the HTTP endpoint within your application, even if you only intend to use the identity to pull an image from ACR or auto-populate a secret from KeyVault. We would need to have a way to allow a managed identity to "opt out" of use from within a Container App. This is something we can look into.

from azure-container-apps.

Thanks @vturecek!

Exactly, an opt-out mechanism would be great so only app-intended user MI are exposed to the app. Appreciate your response!

from azure-container-apps.

@mvrius quick update on this, here is the proposed API change that will allow you to choose the application lifecycle stages where your application code can get a managed identity token: Azure/azure-rest-api-specs#28117

For your scenario, you would choose "None" for identities that you're using for ACR pull or KeyVault secrets.

from azure-container-apps.

This is now available in API version 2024-02-02-preview: https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cdotnet#control-managed-identity-availability

Please let us know if you have any feedback.

from azure-container-apps.