Edit

Store app-level secrets for Azure Functions on Azure Container Apps

App-level secrets are configuration values that your function code and bindings consume at runtime. Unlike Functions access keys, which secure HTTP endpoints, app-level secrets are the credentials your application needs to connect to other services.

Common examples include:

  • Infrastructure connections - AzureWebJobsStorage connection strings, trigger and binding connections for Event Hubs, Service Bus, Cosmos DB, and SQL.
  • Business credentials - third-party API keys, database passwords, SaaS platform tokens.
  • Custom configuration - any sensitive value your code reads from environment variables.

Choose a storage option

Azure Container Apps gives you two ways to store app-level secrets:

Option Best for Centralized management Automatic rotation Audit logging
Container Apps secrets Dev/test, simple single-app workloads No - scoped to one app No Activity logs only
Key Vault references Production, multi-app, compliance Yes - across all apps Yes (versionless URI) Full Key Vault diagnostics

Tip

Start with Container Apps secrets for simplicity. Move to Key Vault references when you need centralized management, automatic rotation, or compliance-grade auditing.

Prerequisites

Use Container Apps secrets

Container Apps stores secrets in the app's configuration.secrets array and encrypts values at rest. You can reference secrets in environment variables, scale rules, volume mounts, and Dapr components.

Store a secret

  1. Go to your Functions container app in the Azure portal.

  2. Under Settings, select Secrets.

  3. Select Add and enter the following values:

    Property Value
    Name A secret name such as database-password. Use lowercase letters, numbers, and hyphens only.
    Type Container Apps Secret
    Value Your secret value.

  4. Select Add.

Reference the secret in an environment variable

After you store a secret, reference it in an environment variable so your function code can read it.

  1. In your Functions container app, under Application, select Revisions and replicas.

  2. Select Create new revision.

  3. In the Container tab, select your container, and then select Edit.

  4. Select the Environment variables tab, and then select Add.

  5. Enter the following values:

    Property Value
    Name DATABASE_PASSWORD
    Source Reference a secret
    Value database-password

  6. Select Save, and then select Create to deploy the new revision.

Verify the secret

Confirm your function can read the secret value by invoking the function and checking that it runs without errors related to missing configuration.

curl "https://<FUNCTIONS_APP_URL>/api/<FUNCTION_NAME>"

Important

Container Apps injects the secret value into the environment variable at runtime. Your code reads the environment variable and doesn't access the secret store directly.

Limitations

Container Apps secrets have the following limitations:

  • No centralization - each container app stores its own secrets separately.
  • No automatic rotation - you must update secret values manually.
  • No expiration - secrets don't expire automatically.
  • Limited audit - basic activity logs only; no detailed secret access auditing.
  • No versioning - no built-in secret version history.
  • Update behavior - changing a secret doesn't trigger a new revision. You must create a new revision or restart existing revisions to pick up changes.

Use Key Vault references

Key Vault references let your container app pull secrets directly from Azure Key Vault using a managed identity. This approach gives you centralized management, automatic rotation, and compliance-grade auditing.

Step 1: Set up managed identity

Your container app needs a managed identity to authenticate to Key Vault without credentials.

  1. Go to your Functions container app in the Azure portal.

  2. Under Settings, select Identity.

  3. In the System assigned tab, set Status to On.

  4. Select Save, and then select Yes to confirm.

Step 2: Grant Key Vault access

Assign the Key Vault Secrets User role to the managed identity so it can read secrets.

  1. Go to your Key Vault in the Azure portal.

  2. Under Settings, select Access control (IAM).

  3. Select Add > Add role assignment.

  4. On the Role tab, select Key Vault Secrets User.

  5. Select Next.

  6. On the Members tab, select Managed identity, and then select Select members.

  7. In the Select managed identities pane, select your subscription, choose Container App for the managed identity type, select your Functions container app, and then select Select.

  8. Select Review + assign.

Step 3: Store a secret in Key Vault

  1. In your Key Vault, under Objects, select Secrets.

  2. Select Generate/Import.

  3. Enter the following values:

    Property Value
    Upload options Manual
    Name A secret name, for example DatabasePassword.
    Value Your secret value.

  4. Select Create.

  5. Select your newly created secret, then select the current version.

  6. Copy the Secret Identifier URI. Use the versionless URI (without the trailing version segment) to enable automatic rotation.

Step 4: Reference the Key Vault secret in Container Apps

Create a Container Apps secret that references the Key Vault secret, then bind it to an environment variable.

  1. Go to your Functions container app. Under Settings, select Secrets.

  2. Select Add.

  3. In Add secret, enter the following values:

    Property Value
    Name database-password
    Type Key Vault reference
    Key Vault secret URL The Secret Identifier URI you copied.
    Identity System assigned (or your user-assigned identity).

  4. Select Add.

  5. Under Application, select Revisions and replicas. Create a new revision with the environment variable DATABASE_PASSWORD referencing the database-password secret.

Step 5: Verify the Key Vault reference

Invoke your function and confirm it runs without errors related to missing configuration.

curl "https://<FUNCTIONS_APP_URL>/api/<FUNCTION_NAME>"

Automatic secret rotation

When you reference a Key Vault secret with a versionless URI, Container Apps automatically retrieves the latest version:

  • Versionless URI: https://myvault.vault.azure.net/secrets/mysecret - always uses the latest version.
  • Versioned URI: https://myvault.vault.azure.net/secrets/mysecret/ec96f020... - pinned to a specific version.

With versionless URIs, Container Apps checks for new versions within 30 minutes and automatically restarts active revisions to pick up the new value.

Related content

  • Last updated on