The azure-native:app:ContainerAppsAuthConfig resource, part of the Pulumi Azure Native provider, configures authentication and authorization for Azure Container Apps. This includes identity provider integration, token management, and validation rules. This guide focuses on three capabilities: social identity provider setup, token encryption and external storage, and managed identity integration for Blob Storage.
Auth configurations attach to existing Container Apps and reference secrets, Blob Storage containers, and managed identities that must exist separately. The examples are intentionally small. Combine them with your own Container App infrastructure and identity management.
Enable authentication with a social identity provider
Container Apps can authenticate users through social providers like Facebook without building custom authentication flows.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerAppsAuthConfig = new azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig", {
authConfigName: "current",
containerAppName: "testcanadacentral",
encryptionSettings: {
containerAppAuthEncryptionSecretName: "testEncryptionSecretName",
containerAppAuthSigningSecretName: "testSigningSecretName",
},
globalValidation: {
unauthenticatedClientAction: azure_native.app.UnauthenticatedClientActionV2.AllowAnonymous,
},
identityProviders: {
facebook: {
registration: {
appId: "123",
appSecretSettingName: "facebook-secret",
},
},
},
platform: {
enabled: true,
},
resourceGroupName: "workerapps-rg-xj",
});
import pulumi
import pulumi_azure_native as azure_native
container_apps_auth_config = azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig",
auth_config_name="current",
container_app_name="testcanadacentral",
encryption_settings={
"container_app_auth_encryption_secret_name": "testEncryptionSecretName",
"container_app_auth_signing_secret_name": "testSigningSecretName",
},
global_validation={
"unauthenticated_client_action": azure_native.app.UnauthenticatedClientActionV2.ALLOW_ANONYMOUS,
},
identity_providers={
"facebook": {
"registration": {
"app_id": "123",
"app_secret_setting_name": "facebook-secret",
},
},
},
platform={
"enabled": True,
},
resource_group_name="workerapps-rg-xj")
package main
import (
app "github.com/pulumi/pulumi-azure-native-sdk/app/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewContainerAppsAuthConfig(ctx, "containerAppsAuthConfig", &app.ContainerAppsAuthConfigArgs{
AuthConfigName: pulumi.String("current"),
ContainerAppName: pulumi.String("testcanadacentral"),
EncryptionSettings: &app.EncryptionSettingsArgs{
ContainerAppAuthEncryptionSecretName: pulumi.String("testEncryptionSecretName"),
ContainerAppAuthSigningSecretName: pulumi.String("testSigningSecretName"),
},
GlobalValidation: &app.GlobalValidationArgs{
UnauthenticatedClientAction: app.UnauthenticatedClientActionV2AllowAnonymous,
},
IdentityProviders: &app.IdentityProvidersArgs{
Facebook: &app.FacebookArgs{
Registration: &app.AppRegistrationArgs{
AppId: pulumi.String("123"),
AppSecretSettingName: pulumi.String("facebook-secret"),
},
},
},
Platform: &app.AuthPlatformArgs{
Enabled: pulumi.Bool(true),
},
ResourceGroupName: pulumi.String("workerapps-rg-xj"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerAppsAuthConfig = new AzureNative.App.ContainerAppsAuthConfig("containerAppsAuthConfig", new()
{
AuthConfigName = "current",
ContainerAppName = "testcanadacentral",
EncryptionSettings = new AzureNative.App.Inputs.EncryptionSettingsArgs
{
ContainerAppAuthEncryptionSecretName = "testEncryptionSecretName",
ContainerAppAuthSigningSecretName = "testSigningSecretName",
},
GlobalValidation = new AzureNative.App.Inputs.GlobalValidationArgs
{
UnauthenticatedClientAction = AzureNative.App.UnauthenticatedClientActionV2.AllowAnonymous,
},
IdentityProviders = new AzureNative.App.Inputs.IdentityProvidersArgs
{
Facebook = new AzureNative.App.Inputs.FacebookArgs
{
Registration = new AzureNative.App.Inputs.AppRegistrationArgs
{
AppId = "123",
AppSecretSettingName = "facebook-secret",
},
},
},
Platform = new AzureNative.App.Inputs.AuthPlatformArgs
{
Enabled = true,
},
ResourceGroupName = "workerapps-rg-xj",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.app.ContainerAppsAuthConfig;
import com.pulumi.azurenative.app.ContainerAppsAuthConfigArgs;
import com.pulumi.azurenative.app.inputs.EncryptionSettingsArgs;
import com.pulumi.azurenative.app.inputs.GlobalValidationArgs;
import com.pulumi.azurenative.app.inputs.IdentityProvidersArgs;
import com.pulumi.azurenative.app.inputs.FacebookArgs;
import com.pulumi.azurenative.app.inputs.AppRegistrationArgs;
import com.pulumi.azurenative.app.inputs.AuthPlatformArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerAppsAuthConfig = new ContainerAppsAuthConfig("containerAppsAuthConfig", ContainerAppsAuthConfigArgs.builder()
.authConfigName("current")
.containerAppName("testcanadacentral")
.encryptionSettings(EncryptionSettingsArgs.builder()
.containerAppAuthEncryptionSecretName("testEncryptionSecretName")
.containerAppAuthSigningSecretName("testSigningSecretName")
.build())
.globalValidation(GlobalValidationArgs.builder()
.unauthenticatedClientAction("AllowAnonymous")
.build())
.identityProviders(IdentityProvidersArgs.builder()
.facebook(FacebookArgs.builder()
.registration(AppRegistrationArgs.builder()
.appId("123")
.appSecretSettingName("facebook-secret")
.build())
.build())
.build())
.platform(AuthPlatformArgs.builder()
.enabled(true)
.build())
.resourceGroupName("workerapps-rg-xj")
.build());
}
}
resources:
containerAppsAuthConfig:
type: azure-native:app:ContainerAppsAuthConfig
properties:
authConfigName: current
containerAppName: testcanadacentral
encryptionSettings:
containerAppAuthEncryptionSecretName: testEncryptionSecretName
containerAppAuthSigningSecretName: testSigningSecretName
globalValidation:
unauthenticatedClientAction: AllowAnonymous
identityProviders:
facebook:
registration:
appId: '123'
appSecretSettingName: facebook-secret
platform:
enabled: true
resourceGroupName: workerapps-rg-xj
When a user accesses your app, the platform property enables the authentication middleware. The identityProviders block configures Facebook with an app ID and secret reference. The encryptionSettings specify secret names for encrypting and signing tokens. The globalValidation property controls what happens to unauthenticated requests; AllowAnonymous allows them through while still making authentication available.
Store authentication tokens in Blob Storage with managed identity
Applications with high session volumes benefit from externalizing token storage to Azure Blob Storage rather than using in-memory storage.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerAppsAuthConfig = new azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig", {
authConfigName: "current",
containerAppName: "myapp",
encryptionSettings: {
containerAppAuthEncryptionSecretName: "testEncryptionSecretName",
containerAppAuthSigningSecretName: "testSigningSecretName",
},
globalValidation: {
unauthenticatedClientAction: azure_native.app.UnauthenticatedClientActionV2.AllowAnonymous,
},
identityProviders: {
facebook: {
registration: {
appId: "123",
appSecretSettingName: "facebook-secret",
},
},
},
login: {
tokenStore: {
azureBlobStorage: {
blobContainerUri: "https://test.blob.core.windows.net/container1",
clientId: "00000000-0000-0000-0000-000000000000",
},
},
},
platform: {
enabled: true,
},
resourceGroupName: "rg1",
});
import pulumi
import pulumi_azure_native as azure_native
container_apps_auth_config = azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig",
auth_config_name="current",
container_app_name="myapp",
encryption_settings={
"container_app_auth_encryption_secret_name": "testEncryptionSecretName",
"container_app_auth_signing_secret_name": "testSigningSecretName",
},
global_validation={
"unauthenticated_client_action": azure_native.app.UnauthenticatedClientActionV2.ALLOW_ANONYMOUS,
},
identity_providers={
"facebook": {
"registration": {
"app_id": "123",
"app_secret_setting_name": "facebook-secret",
},
},
},
login={
"token_store": {
"azure_blob_storage": {
"blob_container_uri": "https://test.blob.core.windows.net/container1",
"client_id": "00000000-0000-0000-0000-000000000000",
},
},
},
platform={
"enabled": True,
},
resource_group_name="rg1")
package main
import (
app "github.com/pulumi/pulumi-azure-native-sdk/app/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewContainerAppsAuthConfig(ctx, "containerAppsAuthConfig", &app.ContainerAppsAuthConfigArgs{
AuthConfigName: pulumi.String("current"),
ContainerAppName: pulumi.String("myapp"),
EncryptionSettings: &app.EncryptionSettingsArgs{
ContainerAppAuthEncryptionSecretName: pulumi.String("testEncryptionSecretName"),
ContainerAppAuthSigningSecretName: pulumi.String("testSigningSecretName"),
},
GlobalValidation: &app.GlobalValidationArgs{
UnauthenticatedClientAction: app.UnauthenticatedClientActionV2AllowAnonymous,
},
IdentityProviders: &app.IdentityProvidersArgs{
Facebook: &app.FacebookArgs{
Registration: &app.AppRegistrationArgs{
AppId: pulumi.String("123"),
AppSecretSettingName: pulumi.String("facebook-secret"),
},
},
},
Login: &app.LoginArgs{
TokenStore: &app.TokenStoreArgs{
AzureBlobStorage: &app.BlobStorageTokenStoreArgs{
BlobContainerUri: pulumi.String("https://test.blob.core.windows.net/container1"),
ClientId: pulumi.String("00000000-0000-0000-0000-000000000000"),
},
},
},
Platform: &app.AuthPlatformArgs{
Enabled: pulumi.Bool(true),
},
ResourceGroupName: pulumi.String("rg1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerAppsAuthConfig = new AzureNative.App.ContainerAppsAuthConfig("containerAppsAuthConfig", new()
{
AuthConfigName = "current",
ContainerAppName = "myapp",
EncryptionSettings = new AzureNative.App.Inputs.EncryptionSettingsArgs
{
ContainerAppAuthEncryptionSecretName = "testEncryptionSecretName",
ContainerAppAuthSigningSecretName = "testSigningSecretName",
},
GlobalValidation = new AzureNative.App.Inputs.GlobalValidationArgs
{
UnauthenticatedClientAction = AzureNative.App.UnauthenticatedClientActionV2.AllowAnonymous,
},
IdentityProviders = new AzureNative.App.Inputs.IdentityProvidersArgs
{
Facebook = new AzureNative.App.Inputs.FacebookArgs
{
Registration = new AzureNative.App.Inputs.AppRegistrationArgs
{
AppId = "123",
AppSecretSettingName = "facebook-secret",
},
},
},
Login = new AzureNative.App.Inputs.LoginArgs
{
TokenStore = new AzureNative.App.Inputs.TokenStoreArgs
{
AzureBlobStorage = new AzureNative.App.Inputs.BlobStorageTokenStoreArgs
{
BlobContainerUri = "https://test.blob.core.windows.net/container1",
ClientId = "00000000-0000-0000-0000-000000000000",
},
},
},
Platform = new AzureNative.App.Inputs.AuthPlatformArgs
{
Enabled = true,
},
ResourceGroupName = "rg1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.app.ContainerAppsAuthConfig;
import com.pulumi.azurenative.app.ContainerAppsAuthConfigArgs;
import com.pulumi.azurenative.app.inputs.EncryptionSettingsArgs;
import com.pulumi.azurenative.app.inputs.GlobalValidationArgs;
import com.pulumi.azurenative.app.inputs.IdentityProvidersArgs;
import com.pulumi.azurenative.app.inputs.FacebookArgs;
import com.pulumi.azurenative.app.inputs.AppRegistrationArgs;
import com.pulumi.azurenative.app.inputs.LoginArgs;
import com.pulumi.azurenative.app.inputs.TokenStoreArgs;
import com.pulumi.azurenative.app.inputs.BlobStorageTokenStoreArgs;
import com.pulumi.azurenative.app.inputs.AuthPlatformArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerAppsAuthConfig = new ContainerAppsAuthConfig("containerAppsAuthConfig", ContainerAppsAuthConfigArgs.builder()
.authConfigName("current")
.containerAppName("myapp")
.encryptionSettings(EncryptionSettingsArgs.builder()
.containerAppAuthEncryptionSecretName("testEncryptionSecretName")
.containerAppAuthSigningSecretName("testSigningSecretName")
.build())
.globalValidation(GlobalValidationArgs.builder()
.unauthenticatedClientAction("AllowAnonymous")
.build())
.identityProviders(IdentityProvidersArgs.builder()
.facebook(FacebookArgs.builder()
.registration(AppRegistrationArgs.builder()
.appId("123")
.appSecretSettingName("facebook-secret")
.build())
.build())
.build())
.login(LoginArgs.builder()
.tokenStore(TokenStoreArgs.builder()
.azureBlobStorage(BlobStorageTokenStoreArgs.builder()
.blobContainerUri("https://test.blob.core.windows.net/container1")
.clientId("00000000-0000-0000-0000-000000000000")
.build())
.build())
.build())
.platform(AuthPlatformArgs.builder()
.enabled(true)
.build())
.resourceGroupName("rg1")
.build());
}
}
resources:
containerAppsAuthConfig:
type: azure-native:app:ContainerAppsAuthConfig
properties:
authConfigName: current
containerAppName: myapp
encryptionSettings:
containerAppAuthEncryptionSecretName: testEncryptionSecretName
containerAppAuthSigningSecretName: testSigningSecretName
globalValidation:
unauthenticatedClientAction: AllowAnonymous
identityProviders:
facebook:
registration:
appId: '123'
appSecretSettingName: facebook-secret
login:
tokenStore:
azureBlobStorage:
blobContainerUri: https://test.blob.core.windows.net/container1
clientId: 00000000-0000-0000-0000-000000000000
platform:
enabled: true
resourceGroupName: rg1
The login.tokenStore.azureBlobStorage block configures external token persistence. The blobContainerUri points to your storage container, and clientId specifies which managed identity to use for authentication. This approach scales token storage independently of your Container App instances and survives app restarts.
Reference managed identity by resource ID for token storage
When using user-assigned managed identities, you can reference them by full resource ID instead of client ID.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerAppsAuthConfig = new azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig", {
authConfigName: "current",
containerAppName: "myapp",
encryptionSettings: {
containerAppAuthEncryptionSecretName: "testEncryptionSecretName",
containerAppAuthSigningSecretName: "testSigningSecretName",
},
globalValidation: {
unauthenticatedClientAction: azure_native.app.UnauthenticatedClientActionV2.AllowAnonymous,
},
identityProviders: {
facebook: {
registration: {
appId: "123",
appSecretSettingName: "facebook-secret",
},
},
},
login: {
tokenStore: {
azureBlobStorage: {
blobContainerUri: "https://test.blob.core.windows.net/container1",
managedIdentityResourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1",
},
},
},
platform: {
enabled: true,
},
resourceGroupName: "rg1",
});
import pulumi
import pulumi_azure_native as azure_native
container_apps_auth_config = azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig",
auth_config_name="current",
container_app_name="myapp",
encryption_settings={
"container_app_auth_encryption_secret_name": "testEncryptionSecretName",
"container_app_auth_signing_secret_name": "testSigningSecretName",
},
global_validation={
"unauthenticated_client_action": azure_native.app.UnauthenticatedClientActionV2.ALLOW_ANONYMOUS,
},
identity_providers={
"facebook": {
"registration": {
"app_id": "123",
"app_secret_setting_name": "facebook-secret",
},
},
},
login={
"token_store": {
"azure_blob_storage": {
"blob_container_uri": "https://test.blob.core.windows.net/container1",
"managed_identity_resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1",
},
},
},
platform={
"enabled": True,
},
resource_group_name="rg1")
package main
import (
app "github.com/pulumi/pulumi-azure-native-sdk/app/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewContainerAppsAuthConfig(ctx, "containerAppsAuthConfig", &app.ContainerAppsAuthConfigArgs{
AuthConfigName: pulumi.String("current"),
ContainerAppName: pulumi.String("myapp"),
EncryptionSettings: &app.EncryptionSettingsArgs{
ContainerAppAuthEncryptionSecretName: pulumi.String("testEncryptionSecretName"),
ContainerAppAuthSigningSecretName: pulumi.String("testSigningSecretName"),
},
GlobalValidation: &app.GlobalValidationArgs{
UnauthenticatedClientAction: app.UnauthenticatedClientActionV2AllowAnonymous,
},
IdentityProviders: &app.IdentityProvidersArgs{
Facebook: &app.FacebookArgs{
Registration: &app.AppRegistrationArgs{
AppId: pulumi.String("123"),
AppSecretSettingName: pulumi.String("facebook-secret"),
},
},
},
Login: &app.LoginArgs{
TokenStore: &app.TokenStoreArgs{
AzureBlobStorage: &app.BlobStorageTokenStoreArgs{
BlobContainerUri: pulumi.String("https://test.blob.core.windows.net/container1"),
ManagedIdentityResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1"),
},
},
},
Platform: &app.AuthPlatformArgs{
Enabled: pulumi.Bool(true),
},
ResourceGroupName: pulumi.String("rg1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerAppsAuthConfig = new AzureNative.App.ContainerAppsAuthConfig("containerAppsAuthConfig", new()
{
AuthConfigName = "current",
ContainerAppName = "myapp",
EncryptionSettings = new AzureNative.App.Inputs.EncryptionSettingsArgs
{
ContainerAppAuthEncryptionSecretName = "testEncryptionSecretName",
ContainerAppAuthSigningSecretName = "testSigningSecretName",
},
GlobalValidation = new AzureNative.App.Inputs.GlobalValidationArgs
{
UnauthenticatedClientAction = AzureNative.App.UnauthenticatedClientActionV2.AllowAnonymous,
},
IdentityProviders = new AzureNative.App.Inputs.IdentityProvidersArgs
{
Facebook = new AzureNative.App.Inputs.FacebookArgs
{
Registration = new AzureNative.App.Inputs.AppRegistrationArgs
{
AppId = "123",
AppSecretSettingName = "facebook-secret",
},
},
},
Login = new AzureNative.App.Inputs.LoginArgs
{
TokenStore = new AzureNative.App.Inputs.TokenStoreArgs
{
AzureBlobStorage = new AzureNative.App.Inputs.BlobStorageTokenStoreArgs
{
BlobContainerUri = "https://test.blob.core.windows.net/container1",
ManagedIdentityResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1",
},
},
},
Platform = new AzureNative.App.Inputs.AuthPlatformArgs
{
Enabled = true,
},
ResourceGroupName = "rg1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.app.ContainerAppsAuthConfig;
import com.pulumi.azurenative.app.ContainerAppsAuthConfigArgs;
import com.pulumi.azurenative.app.inputs.EncryptionSettingsArgs;
import com.pulumi.azurenative.app.inputs.GlobalValidationArgs;
import com.pulumi.azurenative.app.inputs.IdentityProvidersArgs;
import com.pulumi.azurenative.app.inputs.FacebookArgs;
import com.pulumi.azurenative.app.inputs.AppRegistrationArgs;
import com.pulumi.azurenative.app.inputs.LoginArgs;
import com.pulumi.azurenative.app.inputs.TokenStoreArgs;
import com.pulumi.azurenative.app.inputs.BlobStorageTokenStoreArgs;
import com.pulumi.azurenative.app.inputs.AuthPlatformArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerAppsAuthConfig = new ContainerAppsAuthConfig("containerAppsAuthConfig", ContainerAppsAuthConfigArgs.builder()
.authConfigName("current")
.containerAppName("myapp")
.encryptionSettings(EncryptionSettingsArgs.builder()
.containerAppAuthEncryptionSecretName("testEncryptionSecretName")
.containerAppAuthSigningSecretName("testSigningSecretName")
.build())
.globalValidation(GlobalValidationArgs.builder()
.unauthenticatedClientAction("AllowAnonymous")
.build())
.identityProviders(IdentityProvidersArgs.builder()
.facebook(FacebookArgs.builder()
.registration(AppRegistrationArgs.builder()
.appId("123")
.appSecretSettingName("facebook-secret")
.build())
.build())
.build())
.login(LoginArgs.builder()
.tokenStore(TokenStoreArgs.builder()
.azureBlobStorage(BlobStorageTokenStoreArgs.builder()
.blobContainerUri("https://test.blob.core.windows.net/container1")
.managedIdentityResourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1")
.build())
.build())
.build())
.platform(AuthPlatformArgs.builder()
.enabled(true)
.build())
.resourceGroupName("rg1")
.build());
}
}
resources:
containerAppsAuthConfig:
type: azure-native:app:ContainerAppsAuthConfig
properties:
authConfigName: current
containerAppName: myapp
encryptionSettings:
containerAppAuthEncryptionSecretName: testEncryptionSecretName
containerAppAuthSigningSecretName: testSigningSecretName
globalValidation:
unauthenticatedClientAction: AllowAnonymous
identityProviders:
facebook:
registration:
appId: '123'
appSecretSettingName: facebook-secret
login:
tokenStore:
azureBlobStorage:
blobContainerUri: https://test.blob.core.windows.net/container1
managedIdentityResourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1
platform:
enabled: true
resourceGroupName: rg1
This configuration mirrors the previous example but uses managedIdentityResourceId instead of clientId. The full resource ID provides explicit identity management and makes cross-subscription or cross-resource-group references clearer. Both approaches require the managed identity to have Storage Blob Data Contributor permissions on the target container.
Beyond these examples
These snippets focus on specific authentication configuration features: social identity provider integration, token encryption and storage, and managed identity authentication for Blob Storage. They’re intentionally minimal rather than full authentication solutions.
The examples reference pre-existing infrastructure such as Container Apps with defined secrets, Azure Blob Storage containers, and user-assigned managed identities with appropriate permissions. They focus on configuring authentication rather than provisioning the surrounding infrastructure.
To keep things focused, common authentication patterns are omitted, including:
- Multiple identity providers (Google, Microsoft, Apple, Twitter)
- Custom authentication flows and redirect URIs
- HTTP settings for cookies and forwarded headers
- Advanced validation rules and excluded paths
These omissions are intentional: the goal is to illustrate how each authentication feature is wired, not provide drop-in identity modules. See the ContainerAppsAuthConfig resource reference for all available configuration options.
Let's configure Azure Container Apps Authentication
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
How do I enable authentication for my Container App?
Set
platform.enabled to true in your auth config. This activates the authentication and authorization features.How do I configure an identity provider like Facebook?
Configure
identityProviders.facebook.registration with your appId and appSecretSettingName that references the secret containing your Facebook app credentials.Token Storage & Secrets
What's the difference between clientId and managedIdentityResourceId for blob storage token store?
Use
clientId to specify a managed identity’s client ID directly (e.g., 00000000-0000-0000-0000-000000000000), or use managedIdentityResourceId to provide the full Azure resource ID of a user-assigned managed identity.How do I reference secrets in my auth configuration?
Reference secrets by name using properties like
appSecretSettingName for identity provider credentials, or containerAppAuthEncryptionSecretName and containerAppAuthSigningSecretName for encryption settings. These reference secrets stored in your Container App.Immutability & API Versions
What properties can't be changed after creating the auth config?
The
authConfigName, containerAppName, and resourceGroupName properties are immutable. Changing any of these requires recreating the resource.How do I use a different API version for this resource?
Generate a local SDK package using the CLI command
pulumi package add azure-native app [ApiVersion]. Available versions include 2022-10-01, 2023-05-01, 2024-03-01, and 2025-01-01, among others.