Azure-docs: Keyvault connection feature for Azure Container Instance

Thanks for the feedback! We are currently investigating and will update you shortly.

@iainfoulds if I am not mistaken, we do not yet have native integration between Container Instances and Keyvault

https://thorsten-hans.com/integrating-azure-keyvault-with-azure-container-services-dafbc26c7ecd
https://feedback.azure.com/forums/914020-azure-kubernetes-service-aks/suggestions/35256199-native-integration-between-aks-and-azure-key-vault

Can you confirm?

We aim to publish a doc showing how to use managed identities for Azure resources next week. This doc would specifically cover using a managed identity for a container instance to connect to Key Vault and retrieve a key. Is that the scenario you are looking for, @kkho?

@iainfoulds, correct me if I am mistaking. What my current situation is, I have deployed a container to Azure Container Registry. I have deployed a container instance from that image and want to get secrets from Key Vault rather than storing it into an environment.

@kkho Yes, this is what the managed identities would address. The container instance that you deploy can have an identity assigned to it that allows it to natively retrieve secrets from Key Vault. I'll update you when this new doc is live, hopefully in the next few days.

nice @iainfoulds! I look forward to reading the doc! 😄

The follow up quick, the doc is now live - https://docs.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity

If you have any further questions around using managed identities with a container instance, feel free to open an issue against that doc to keep the tracking of the issue clear.

well there is one thing that is not handled:

"Managed service identity is not supported for Windows container groups."

Since it should also be supported too no?

@iainfoulds

During the current preview, managed identities are only available for Linux containers, as noted in the doc. Managed identity support for Windows is on-going.

CC: @dlepow @jluk

Another thing is, will Managed Identity for container instance be available for Azure Portal soon?

@kkho we're working with our Portal folks for integration into the container management flow, but it may take a moment to integrate into the create flow. What are the tasks you're hoping to do via portal?

@jluk. The goal is to enable managed identity to a container instance. This is to access the KayVault library feature so that my container can access the keyvault secrets in my C# code.

As far as I know, with the solution as mentioned above. That should make it possible right?

Thanks @kkho! Yes that is doable, CLI is the best option right now if you are manually deploying the container group - tutorial at aka.ms/aci/msi

Sounds like you would normally prefer to do the container creation through portal.

Do you find you discover new features most often through what is exposed in Azure portal?

@jluk. Well i prefer to do ARM template since the future plan is to build a CI/CD pipeline where during release I deploy the built docker container to Azure Container Registry and then from there, deploy an Azure Container Instance.

The reason why I used portal was because I got that working than deploying through az container create command (somehow the it says the Container is running, but the response when trying to go to the container instance URL seems to give a timeout error). But I guess I might do something wrong during the command (I will try it out soon)

@kkho ARM template is supported as well, thanks for the insight - we're going to get portal to support these configurations just wondering if you were more concerned with deployment setup or ongoing mgmt of the identity.

Sometimes the network config can take some extra time even if the container is responding correctly which can produce errors. If you hit more issues feel free to open some issues on the corresponding documentation so we can filter easily!

Hi @jluk. Can you check this please? :) #18225

Is there any update in the Windows implementation of the manage identity in a windows image on docker ?

Hey guys, any update on Windows Managed identity?