Azure-docs: Protected environment variables

@ljt91 Thanks for the feedback! We are currently investigating and will update you shortly.

@david-stanford @neilpeterson do either of you know a way of achieving this? I did some testing but am not finding a way to hide these to anyone who has access to the portal unless you complete remove access to container registry in Access Control.

Alternatively, if this isn't possible, are there any plans to enable Managed Service Identity within Azure Container Instances? Could be an alternative way we could leverage for retrieving these values from Azure Key Vault.

@mmacy @jluk any thoughts on this?

@ljt91 Secret env vars are currently unsupported. If your container can include the Azure CLI, you could do something like this:

Deploy ACR image to ACI w/AKV secrets

That's just the ACI deploy section, but the previous sections of the doc explain creating the AKV and storing secrets.

@MicahMcKittrick-MSFT You can assign this one to me.

@ljt91 Another alternative is to use a secret volume:

Mount a secret volume in Azure Container Instances

Thanks a lot everyone, really appreciate the quick response.

Some great alternatives here which we will dig into!

@ljt91 good questions!

We're going to be supporting secret environment variables this summer so be on the lookout for announcements 👍 . We also have MSI support on the roadmap, but will be landing down the road as we comb through more features!

@jluk awesome news, thanks a lot for the update!

@ljt91 fyi the support of secure values is now up and examples are on this document ⭐️

@jluk awesome news! thank you so much!

@jluk I've tried the secureValue example code above and it keeps returning: "ERROR: The secure environment variable is not supported before version '2018-06-01'" which is the version you have in the yaml file - so that doesn't make sense. Do you have any idea what I'm missing? I'm using a copy/paste of what is above in the example with the secret-env. If I change the "secureValue" to just "value" it works ... but it also shows in the properties.

That's weird - @samkreter any ideas?

@jluk I found out the problem was with a BOM on the text encoding of the yaml file I created. The CLI worked fine - it was just the encoding on my yaml file (which I created with the Windows PowerShell ISE - just in case anyone else is using that tool).

@JasonHaley interesting thanks for the report, so saving the copy/pasted example in PS ISE generated a file that was encoded incorrectly and it threw a wrong API Version error? that's definitely not helpful.

Yeah that sums it up. The funny thing is any version of the CLI running on Linux using the same file had no problems.

I'm attempting to set some environmental variables that need values that are generated during deployment from my template.json. Is there a way to incorporate this into a template.json file?

@jluk Can secure environment variables be set from the PowerShell cmdlet? I'm spinning up instances from an Azure Function and would like to securely pass in some values as secure environment variables.