Skip to content

ACA Container volumes use shared access keys #8939

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eerhardt opened this issue Apr 23, 2025 · 0 comments
Open

ACA Container volumes use shared access keys #8939

eerhardt opened this issue Apr 23, 2025 · 0 comments
Labels
area-integrations Issues pertaining to Aspire Integrations packages azure Issues associated specifically with scenarios tied to using Azure security 🔐

Comments

@eerhardt
Copy link
Member

When using container volumes in an ACA app, we are generating an Azure Storage account for storing those volumes.

However, the way the access from ACA to this storage account happens is via access keys:

aspire/src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppExtensions.cs

Lines 202 to 215 in 8fd92af

var keysExpr = storageVolume.GetKeys()[0].Compile();
var keyValue = new MemberExpression(keysExpr, "value");
var containerAppStorage = new ContainerAppManagedEnvironmentStorage(managedStorageName)
{
Parent = containerAppEnvironment,
ManagedEnvironmentStorageAzureFile = new()
{
ShareName = share.Name,
AccountName = storageVolume.Name,
AccountKey = keyValue,
AccessMode = ContainerAppAccessMode.ReadWrite
}
};

This means that an Azure Storage account is created that allows shared key access, which may trigger security rules in environments that don't want to allow Azure Storage accounts with access keys.

We should be using managed identities here instead, to allow communication between the ACA container and the Storage account.
@eerhardt eerhardt added area-integrations Issues pertaining to Aspire Integrations packages azure Issues associated specifically with scenarios tied to using Azure security 🔐 labels Apr 23, 2025
@eerhardt eerhardt changed the title ACA Container volumes use access keys ACA Container volumes use shared access keys Apr 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-integrations Issues pertaining to Aspire Integrations packages azure Issues associated specifically with scenarios tied to using Azure security 🔐
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eerhardt