Troubleshooting azurerm provider issue not able to fetch keyvault secret(s) while deploying container app – HashiCorp Help Center

Introduction

This article walks you through the steps for resolving the provider issue not able to fetch key vault secret(s) using a managed identity for a container app in azure.

Problem

Fetching a secret from an azure key vault using managed identity fails with the following error :

Error details: The following field(s) are either invalid or missing.
Field 'configuration.secrets' is invalid with details: 'Invalid │ value: \"test-secret\": Unable to get value using Managed identity
│ /subscriptions/<subsecription-id>/resourceGroups/<resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-assigned-managed-identity> for secret <secret-name>>

Prerequisites

Azure Key vault having secrets to be fetched
Managed Identity (User Assigned Identity) with least required access on the key vault to read/access the secrets.

Cause

Container App is not able to associate the managed identity while creating and thus fails on fetching the secrets from azure vault.

resource "azurerm_container_app" "example" {
 
 name                         = "example-app"
  .
  .

  secret {

   name = "<your-secret-name>"

   identity = data.azurerm_user_assigned_identity.example.id

   key_vault_secret_id = "https://<your-keyvault-name>.vault.azure.net/secrets/<your-keyvault-secret-name>/<secret-identifier>"

  }

}

Possible Solutions:

You can fix this by defining the required identity block for azurerm_container_app to first associate the UserAssigned ID with the container app and then use it to fetch the secrets from the vault using the secret block.

resource "azurerm_container_app" "example" {

  name                         = "example-app"

  container_app_environment_id = azurerm_container_app_environment.example.id

  .

  .

  . 

  identity {

    type = "UserAssigned"

    identity_ids = ["/subscriptions/<your-subscription-id>/resourceGroups/<your-resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<your-managed-identity-name>"]

  }

  secret {

    name = "<your-secret-name>"

    identity = data.azurerm_user_assigned_identity.example.id

    key_vault_secret_id = "https://<your-keyvault-name>.vault.azure.net/secrets/<your-keyvault-secret-name>/<secret-identifier>"

  }

}

Outcome

Once the identity block is defined and managed identity is associated, the secrets can be used successfully while deploying the azure container app.

Additional Information

You can refer to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_app#secret for learning more about azurerm_container_app resource.
For additional assistance, please contact HashiCorp Support