[x] bug report -> please search issues before submitting
[ ] documentation issue or request
[ ] regression (a behavior that used to work and stopped in a new release)
Issue description
If you have a Key Vault that has service endpoints enabled and a container app (consumption) that is not internal, but has vnet integration (infrastructureSubnetId, internal: false and infrastructureResourceGroup set), it is not possible to get secrets from a Key Vault.
The setting Allow trusted Microsoft services to bypass this firewall doesn't seem to work, as Azure container apps is not listed under trusted services here (https://learn.microsoft.com/en-gb/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services).
The only way to achieve this seems to add the external IPs of the specific container app to the firewall setting of the Key Vault, which leads to a dependency loop in a IaC deployment, as the Key Vault needs to be created before the container app, but the IPs are a result of the container app deployment.
Steps to reproduce
Create a Bicep template that
Creates a vnet integrated managedEnvironment
Creates a Key Vault with service endpoints in the same subnet with Allow trusted Microsoft services to bypass this firewall enabled
Creates a container app with a user assigned identity that has permissions on the Key Vault and has a secretRef to a Key Vault secret defined
It will error with 'Invalid value: "SECRETNAME": Unable to get value using Managed identity /subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MINAME for secret SECRETNAME. Error: unable to fetch secret 'SECRETNAME' using Managed identity '/subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MINAME'
Expected behavior [What you expected to happen.]
ACA should either use the internal network to query Key Vault and make use of the service endpoint or the external IPs need to be included in the Trusted Microsoft Services
Actual behavior [What actually happened.]
Error 'Invalid value: "SECRETNAME": Unable to get value using Managed identity /subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MINAME for secret SECRETNAME. Error: unable to fetch secret 'SECRETNAME' using Managed identity '/subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MINAME'
This issue is a: (mark with an x)
Issue description
If you have a Key Vault that has service endpoints enabled and a container app (consumption) that is not internal, but has vnet integration (
infrastructureSubnetId,internal: falseandinfrastructureResourceGroupset), it is not possible to get secrets from a Key Vault. The settingAllow trusted Microsoft services to bypass this firewalldoesn't seem to work, as Azure container apps is not listed under trusted services here (https://learn.microsoft.com/en-gb/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services). The only way to achieve this seems to add the external IPs of the specific container app to the firewall setting of the Key Vault, which leads to a dependency loop in a IaC deployment, as the Key Vault needs to be created before the container app, but the IPs are a result of the container app deployment.Steps to reproduce
Create a Bicep template that
Allow trusted Microsoft services to bypass this firewallenabled'Invalid value: "SECRETNAME": Unable to get value using Managed identity /subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MINAME for secret SECRETNAME. Error: unable to fetch secret 'SECRETNAME' using Managed identity '/subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MINAME'Expected behavior [What you expected to happen.]
ACA should either use the internal network to query Key Vault and make use of the service endpoint or the external IPs need to be included in the
Trusted Microsoft ServicesActual behavior [What actually happened.]
Error
'Invalid value: "SECRETNAME": Unable to get value using Managed identity /subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MINAME for secret SECRETNAME. Error: unable to fetch secret 'SECRETNAME' using Managed identity '/subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MINAME'