Troubleshooting azurerm provider issue not able to fetch keyvault secret(s) while deploying container app

Avatar
Dimpy Chugh
  • Updated

Introduction

This article provides a solution for an issue where the azurerm provider cannot fetch Azure Key Vault secrets using a managed identity when deploying a container app.

Problem

When attempting to fetch a secret from an Azure Key Vault using a managed identity, the operation fails with the following error.

Error details: The following field(s) are either invalid or missing. Field 'configuration.secrets' is invalid with details: 'Invalid │ value: "test-secret": Unable to get value using Managed identity│ /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-assigned-managed-identity> for secret <secret-name>>

Prerequisites

  • An Azure Key Vault containing the secrets to be fetched.
  • A User-Assigned Managed Identity with the necessary permissions to read secrets from the Key Vault.

Cause

The error occurs because the azurerm_container_app resource attempts to use the managed identity to fetch secrets before the identity has been formally associated with the container app itself. The secret block's identity attribute alone is not sufficient to establish this association.

The following configuration demonstrates the issue.

resource "azurerm_container_app" "example" {
  name = "example-app"
  # ...

  secret {
    name                = "<your-secret-name>"
    identity            = data.azurerm_user_assigned_identity.example.id
    key_vault_secret_id = "https://<your-keyvault-name>.vault.azure.net/secrets/<your-keyvault-secret-name>/<secret-identifier>"
  }
}

Solution

Add an identity block to the container app resource

To resolve this issue, you must first associate the User-Assigned Identity with the container app by defining a top-level identity block. This ensures the identity is available to the app before the secret block attempts to use it.

Update your configuration to include the identity block as shown below.

resource "azurerm_container_app" "example" {
  name                         = "example-app"
  container_app_environment_id = azurerm_container_app_environment.example.id
  # ...

  identity {
    type         = "UserAssigned"
    identity_ids = ["/subscriptions/<your-subscription-id>/resourceGroups/<your-resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<your-managed-identity-name>"]
  }

  secret {
    name                = "<your-secret-name>"
    identity            = data.azurerm_user_assigned_identity.example.id
    key_vault_secret_id = "https://<your-keyvault-name>.vault.azure.net/secrets/<your-keyvault-secret-name>/<secret-identifier>"
  }
}

Outcome

After defining the identity block and associating the managed identity with the resource, Terraform can successfully use the identity to fetch secrets during the deployment of the Azure container app.

Additional Information

Articles in this section

Related articles