Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
323 questions
Authorization error when trying to list secrets in Azure Container Apps
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 26%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
PS
150
Reputation points
We are getting below mentioned authorization error when trying to list secrets using Azure golang sdk.
RESPONSE 403: 403 Forbidden
ERROR CODE: AuthorizationFailed
--------------------------------------------------------------------------------
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.App/containerApps/listSecrets/action' over scope '/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.App/containerApps/xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
--------------------------------------------------------------------------------
Can anyone suggest the specific role that needs to be added to list secrets?
I have added system-assigned managed identity to the Azure Container app.
The system assigned identity Reader role at the Resource group scope
{count} votes
-
Aki Nishikawa 1,300 Reputation points Microsoft Employee2024-06-22T02:12:35.3766667+00:00 Hello @PS ,
It's unclear why you're utilizing the system-assigned managed identity for Container Apps, but as indicated by the error message, service principals that call APIs require the permission
Microsoft.App/containerApps/listSecrets/actionto list secrets within Container Apps. If you prefer not to create a custom role, you must assign the service principal used by your application to the contributor or owner role of your Container Apps. -
PS 150 Reputation points
2024-06-24T04:30:11.61+00:00 Thanks @Aki Nishikawa
We have been using managed identities to access Azure APIs https://video2.skills-academy.com/en-us/rest/api/containerapps/container-apps/get?view=rest-containerapps-2024-03-01&tabs=HTTP
On similar lines, I was trying to use the managed identity to list the secrets. Is this not the recommended approach to access the secrets API ?
I am not sure if I follow your suggestion
"If you prefer not to create a custom role, you must assign the service principal used by your application to the contributor or owner role of your Container Apps."Can you please elaborate with an example or share a doc reference if any
Sign in to comment