Secrets Management

Golden Rule

Never put secrets in code, Dockerfiles, or git. Always use Key Vault or Container App secrets.

Adding a New Secret

1. Store in Key Vault

az keyvault secret set \
  --vault-name cerebro-auth-kv-62be6d5f \
  --name my-new-secret \
  --value "the-actual-secret-value"

2. Reference in Container App

# Add as a Container App secret (can reference Key Vault)
az containerapp secret set \
  --name my-service \
  --resource-group testing \
  --secrets "MY_SECRET=the-actual-secret-value"

# Then expose as environment variable
az containerapp update \
  --name my-service \
  --resource-group testing \
  --set-env-vars "MY_ENV_VAR=secretref:MY_SECRET"

Rotating a Secret

# 1. Update Key Vault
az keyvault secret set \
  --vault-name cerebro-auth-kv-62be6d5f \
  --name my-secret \
  --value "new-value"

# 2. Update Container App secret
az containerapp secret set \
  --name my-service \
  --resource-group testing \
  --secrets "MY_SECRET=new-value"

# 3. Restart the app to pick up the new secret
az containerapp revision restart \
  --name my-service \
  --resource-group testing \
  --revision $(az containerapp show --name my-service --resource-group testing --query properties.latestRevisionName -o tsv)

Listing Secrets

# List Key Vault secrets (names only)
az keyvault secret list \
  --vault-name cerebro-auth-kv-62be6d5f \
  --output table

# List Container App secrets (names only — values are never shown in CLI output)
az containerapp secret list \
  --name my-service \
  --resource-group testing \
  --output table

ACR Credentials on Container Apps

If a container app can't pull its image, the registry credentials need to be configured:

ACR_PWD=$(az acr credential show --name ca45076245feacr --query passwords[0].value -o tsv)

az containerapp registry set \
  --name my-service \
  --resource-group testing \
  --server ca45076245feacr.azurecr.io \
  --username ca45076245feacr \
  --password "$ACR_PWD"