The azure-native:app:ContainerAppsAuthConfig resource, part of the Pulumi Azure Native provider, configures authentication and authorization for Azure Container Apps: identity providers, token storage, and validation rules. This guide focuses on three capabilities: social identity provider integration, token persistence in Blob Storage, and managed identity authentication.
Authentication configs attach to existing Container Apps and reference social provider registrations, Blob Storage containers, and managed identities. The examples are intentionally small. Combine them with your own Container App infrastructure and identity configuration.
Enable authentication with a social identity provider
Container Apps often need to authenticate users through social providers like Facebook, Google, or Microsoft accounts without building custom authentication flows.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerAppsAuthConfig = new azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig", {
authConfigName: "current",
containerAppName: "testcanadacentral",
encryptionSettings: {
containerAppAuthEncryptionSecretName: "testEncryptionSecretName",
containerAppAuthSigningSecretName: "testSigningSecretName",
},
globalValidation: {
unauthenticatedClientAction: azure_native.app.UnauthenticatedClientActionV2.AllowAnonymous,
},
identityProviders: {
facebook: {
registration: {
appId: "123",
appSecretSettingName: "facebook-secret",
},
},
},
platform: {
enabled: true,
},
resourceGroupName: "workerapps-rg-xj",
});
import pulumi
import pulumi_azure_native as azure_native
container_apps_auth_config = azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig",
auth_config_name="current",
container_app_name="testcanadacentral",
encryption_settings={
"container_app_auth_encryption_secret_name": "testEncryptionSecretName",
"container_app_auth_signing_secret_name": "testSigningSecretName",
},
global_validation={
"unauthenticated_client_action": azure_native.app.UnauthenticatedClientActionV2.ALLOW_ANONYMOUS,
},
identity_providers={
"facebook": {
"registration": {
"app_id": "123",
"app_secret_setting_name": "facebook-secret",
},
},
},
platform={
"enabled": True,
},
resource_group_name="workerapps-rg-xj")
package main
import (
app "github.com/pulumi/pulumi-azure-native-sdk/app/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewContainerAppsAuthConfig(ctx, "containerAppsAuthConfig", &app.ContainerAppsAuthConfigArgs{
AuthConfigName: pulumi.String("current"),
ContainerAppName: pulumi.String("testcanadacentral"),
EncryptionSettings: &app.EncryptionSettingsArgs{
ContainerAppAuthEncryptionSecretName: pulumi.String("testEncryptionSecretName"),
ContainerAppAuthSigningSecretName: pulumi.String("testSigningSecretName"),
},
GlobalValidation: &app.GlobalValidationArgs{
UnauthenticatedClientAction: app.UnauthenticatedClientActionV2AllowAnonymous,
},
IdentityProviders: &app.IdentityProvidersArgs{
Facebook: &app.FacebookArgs{
Registration: &app.AppRegistrationArgs{
AppId: pulumi.String("123"),
AppSecretSettingName: pulumi.String("facebook-secret"),
},
},
},
Platform: &app.AuthPlatformArgs{
Enabled: pulumi.Bool(true),
},
ResourceGroupName: pulumi.String("workerapps-rg-xj"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerAppsAuthConfig = new AzureNative.App.ContainerAppsAuthConfig("containerAppsAuthConfig", new()
{
AuthConfigName = "current",
ContainerAppName = "testcanadacentral",
EncryptionSettings = new AzureNative.App.Inputs.EncryptionSettingsArgs
{
ContainerAppAuthEncryptionSecretName = "testEncryptionSecretName",
ContainerAppAuthSigningSecretName = "testSigningSecretName",
},
GlobalValidation = new AzureNative.App.Inputs.GlobalValidationArgs
{
UnauthenticatedClientAction = AzureNative.App.UnauthenticatedClientActionV2.AllowAnonymous,
},
IdentityProviders = new AzureNative.App.Inputs.IdentityProvidersArgs
{
Facebook = new AzureNative.App.Inputs.FacebookArgs
{
Registration = new AzureNative.App.Inputs.AppRegistrationArgs
{
AppId = "123",
AppSecretSettingName = "facebook-secret",
},
},
},
Platform = new AzureNative.App.Inputs.AuthPlatformArgs
{
Enabled = true,
},
ResourceGroupName = "workerapps-rg-xj",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.app.ContainerAppsAuthConfig;
import com.pulumi.azurenative.app.ContainerAppsAuthConfigArgs;
import com.pulumi.azurenative.app.inputs.EncryptionSettingsArgs;
import com.pulumi.azurenative.app.inputs.GlobalValidationArgs;
import com.pulumi.azurenative.app.inputs.IdentityProvidersArgs;
import com.pulumi.azurenative.app.inputs.FacebookArgs;
import com.pulumi.azurenative.app.inputs.AppRegistrationArgs;
import com.pulumi.azurenative.app.inputs.AuthPlatformArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerAppsAuthConfig = new ContainerAppsAuthConfig("containerAppsAuthConfig", ContainerAppsAuthConfigArgs.builder()
.authConfigName("current")
.containerAppName("testcanadacentral")
.encryptionSettings(EncryptionSettingsArgs.builder()
.containerAppAuthEncryptionSecretName("testEncryptionSecretName")
.containerAppAuthSigningSecretName("testSigningSecretName")
.build())
.globalValidation(GlobalValidationArgs.builder()
.unauthenticatedClientAction("AllowAnonymous")
.build())
.identityProviders(IdentityProvidersArgs.builder()
.facebook(FacebookArgs.builder()
.registration(AppRegistrationArgs.builder()
.appId("123")
.appSecretSettingName("facebook-secret")
.build())
.build())
.build())
.platform(AuthPlatformArgs.builder()
.enabled(true)
.build())
.resourceGroupName("workerapps-rg-xj")
.build());
}
}
resources:
containerAppsAuthConfig:
type: azure-native:app:ContainerAppsAuthConfig
properties:
authConfigName: current
containerAppName: testcanadacentral
encryptionSettings:
containerAppAuthEncryptionSecretName: testEncryptionSecretName
containerAppAuthSigningSecretName: testSigningSecretName
globalValidation:
unauthenticatedClientAction: AllowAnonymous
identityProviders:
facebook:
registration:
appId: '123'
appSecretSettingName: facebook-secret
platform:
enabled: true
resourceGroupName: workerapps-rg-xj
The platform property enables the authentication feature. The identityProviders block configures Facebook authentication by referencing an app ID and a secret stored in the Container App’s secrets. The globalValidation property controls what happens to unauthenticated requests; AllowAnonymous allows public access while still making authentication available. The appSecretSettingName must match a secret name defined in your Container App.
Store authentication tokens in Blob Storage with client ID
Applications that need to persist user sessions across container restarts or scale events can store authentication tokens in Azure Blob Storage using managed identity authentication.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerAppsAuthConfig = new azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig", {
authConfigName: "current",
containerAppName: "myapp",
encryptionSettings: {
containerAppAuthEncryptionSecretName: "testEncryptionSecretName",
containerAppAuthSigningSecretName: "testSigningSecretName",
},
globalValidation: {
unauthenticatedClientAction: azure_native.app.UnauthenticatedClientActionV2.AllowAnonymous,
},
identityProviders: {
facebook: {
registration: {
appId: "123",
appSecretSettingName: "facebook-secret",
},
},
},
login: {
tokenStore: {
azureBlobStorage: {
blobContainerUri: "https://test.blob.core.windows.net/container1",
clientId: "00000000-0000-0000-0000-000000000000",
},
},
},
platform: {
enabled: true,
},
resourceGroupName: "rg1",
});
import pulumi
import pulumi_azure_native as azure_native
container_apps_auth_config = azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig",
auth_config_name="current",
container_app_name="myapp",
encryption_settings={
"container_app_auth_encryption_secret_name": "testEncryptionSecretName",
"container_app_auth_signing_secret_name": "testSigningSecretName",
},
global_validation={
"unauthenticated_client_action": azure_native.app.UnauthenticatedClientActionV2.ALLOW_ANONYMOUS,
},
identity_providers={
"facebook": {
"registration": {
"app_id": "123",
"app_secret_setting_name": "facebook-secret",
},
},
},
login={
"token_store": {
"azure_blob_storage": {
"blob_container_uri": "https://test.blob.core.windows.net/container1",
"client_id": "00000000-0000-0000-0000-000000000000",
},
},
},
platform={
"enabled": True,
},
resource_group_name="rg1")
package main
import (
app "github.com/pulumi/pulumi-azure-native-sdk/app/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewContainerAppsAuthConfig(ctx, "containerAppsAuthConfig", &app.ContainerAppsAuthConfigArgs{
AuthConfigName: pulumi.String("current"),
ContainerAppName: pulumi.String("myapp"),
EncryptionSettings: &app.EncryptionSettingsArgs{
ContainerAppAuthEncryptionSecretName: pulumi.String("testEncryptionSecretName"),
ContainerAppAuthSigningSecretName: pulumi.String("testSigningSecretName"),
},
GlobalValidation: &app.GlobalValidationArgs{
UnauthenticatedClientAction: app.UnauthenticatedClientActionV2AllowAnonymous,
},
IdentityProviders: &app.IdentityProvidersArgs{
Facebook: &app.FacebookArgs{
Registration: &app.AppRegistrationArgs{
AppId: pulumi.String("123"),
AppSecretSettingName: pulumi.String("facebook-secret"),
},
},
},
Login: &app.LoginArgs{
TokenStore: &app.TokenStoreArgs{
AzureBlobStorage: &app.BlobStorageTokenStoreArgs{
BlobContainerUri: pulumi.String("https://test.blob.core.windows.net/container1"),
ClientId: pulumi.String("00000000-0000-0000-0000-000000000000"),
},
},
},
Platform: &app.AuthPlatformArgs{
Enabled: pulumi.Bool(true),
},
ResourceGroupName: pulumi.String("rg1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerAppsAuthConfig = new AzureNative.App.ContainerAppsAuthConfig("containerAppsAuthConfig", new()
{
AuthConfigName = "current",
ContainerAppName = "myapp",
EncryptionSettings = new AzureNative.App.Inputs.EncryptionSettingsArgs
{
ContainerAppAuthEncryptionSecretName = "testEncryptionSecretName",
ContainerAppAuthSigningSecretName = "testSigningSecretName",
},
GlobalValidation = new AzureNative.App.Inputs.GlobalValidationArgs
{
UnauthenticatedClientAction = AzureNative.App.UnauthenticatedClientActionV2.AllowAnonymous,
},
IdentityProviders = new AzureNative.App.Inputs.IdentityProvidersArgs
{
Facebook = new AzureNative.App.Inputs.FacebookArgs
{
Registration = new AzureNative.App.Inputs.AppRegistrationArgs
{
AppId = "123",
AppSecretSettingName = "facebook-secret",
},
},
},
Login = new AzureNative.App.Inputs.LoginArgs
{
TokenStore = new AzureNative.App.Inputs.TokenStoreArgs
{
AzureBlobStorage = new AzureNative.App.Inputs.BlobStorageTokenStoreArgs
{
BlobContainerUri = "https://test.blob.core.windows.net/container1",
ClientId = "00000000-0000-0000-0000-000000000000",
},
},
},
Platform = new AzureNative.App.Inputs.AuthPlatformArgs
{
Enabled = true,
},
ResourceGroupName = "rg1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.app.ContainerAppsAuthConfig;
import com.pulumi.azurenative.app.ContainerAppsAuthConfigArgs;
import com.pulumi.azurenative.app.inputs.EncryptionSettingsArgs;
import com.pulumi.azurenative.app.inputs.GlobalValidationArgs;
import com.pulumi.azurenative.app.inputs.IdentityProvidersArgs;
import com.pulumi.azurenative.app.inputs.FacebookArgs;
import com.pulumi.azurenative.app.inputs.AppRegistrationArgs;
import com.pulumi.azurenative.app.inputs.LoginArgs;
import com.pulumi.azurenative.app.inputs.TokenStoreArgs;
import com.pulumi.azurenative.app.inputs.BlobStorageTokenStoreArgs;
import com.pulumi.azurenative.app.inputs.AuthPlatformArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerAppsAuthConfig = new ContainerAppsAuthConfig("containerAppsAuthConfig", ContainerAppsAuthConfigArgs.builder()
.authConfigName("current")
.containerAppName("myapp")
.encryptionSettings(EncryptionSettingsArgs.builder()
.containerAppAuthEncryptionSecretName("testEncryptionSecretName")
.containerAppAuthSigningSecretName("testSigningSecretName")
.build())
.globalValidation(GlobalValidationArgs.builder()
.unauthenticatedClientAction("AllowAnonymous")
.build())
.identityProviders(IdentityProvidersArgs.builder()
.facebook(FacebookArgs.builder()
.registration(AppRegistrationArgs.builder()
.appId("123")
.appSecretSettingName("facebook-secret")
.build())
.build())
.build())
.login(LoginArgs.builder()
.tokenStore(TokenStoreArgs.builder()
.azureBlobStorage(BlobStorageTokenStoreArgs.builder()
.blobContainerUri("https://test.blob.core.windows.net/container1")
.clientId("00000000-0000-0000-0000-000000000000")
.build())
.build())
.build())
.platform(AuthPlatformArgs.builder()
.enabled(true)
.build())
.resourceGroupName("rg1")
.build());
}
}
resources:
containerAppsAuthConfig:
type: azure-native:app:ContainerAppsAuthConfig
properties:
authConfigName: current
containerAppName: myapp
encryptionSettings:
containerAppAuthEncryptionSecretName: testEncryptionSecretName
containerAppAuthSigningSecretName: testSigningSecretName
globalValidation:
unauthenticatedClientAction: AllowAnonymous
identityProviders:
facebook:
registration:
appId: '123'
appSecretSettingName: facebook-secret
login:
tokenStore:
azureBlobStorage:
blobContainerUri: https://test.blob.core.windows.net/container1
clientId: 00000000-0000-0000-0000-000000000000
platform:
enabled: true
resourceGroupName: rg1
The login.tokenStore property configures where authentication tokens are stored. The azureBlobStorage block points to a Blob Storage container and uses a managed identity’s client ID for authentication. This approach requires a system-assigned or user-assigned managed identity on your Container App with Storage Blob Data Contributor permissions on the target container. Tokens persist across container restarts and scale operations.
Store authentication tokens using managed identity resource ID
When using user-assigned managed identities, you can specify the full resource ID instead of the client ID for more explicit identity selection.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const containerAppsAuthConfig = new azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig", {
authConfigName: "current",
containerAppName: "myapp",
encryptionSettings: {
containerAppAuthEncryptionSecretName: "testEncryptionSecretName",
containerAppAuthSigningSecretName: "testSigningSecretName",
},
globalValidation: {
unauthenticatedClientAction: azure_native.app.UnauthenticatedClientActionV2.AllowAnonymous,
},
identityProviders: {
facebook: {
registration: {
appId: "123",
appSecretSettingName: "facebook-secret",
},
},
},
login: {
tokenStore: {
azureBlobStorage: {
blobContainerUri: "https://test.blob.core.windows.net/container1",
managedIdentityResourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1",
},
},
},
platform: {
enabled: true,
},
resourceGroupName: "rg1",
});
import pulumi
import pulumi_azure_native as azure_native
container_apps_auth_config = azure_native.app.ContainerAppsAuthConfig("containerAppsAuthConfig",
auth_config_name="current",
container_app_name="myapp",
encryption_settings={
"container_app_auth_encryption_secret_name": "testEncryptionSecretName",
"container_app_auth_signing_secret_name": "testSigningSecretName",
},
global_validation={
"unauthenticated_client_action": azure_native.app.UnauthenticatedClientActionV2.ALLOW_ANONYMOUS,
},
identity_providers={
"facebook": {
"registration": {
"app_id": "123",
"app_secret_setting_name": "facebook-secret",
},
},
},
login={
"token_store": {
"azure_blob_storage": {
"blob_container_uri": "https://test.blob.core.windows.net/container1",
"managed_identity_resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1",
},
},
},
platform={
"enabled": True,
},
resource_group_name="rg1")
package main
import (
app "github.com/pulumi/pulumi-azure-native-sdk/app/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewContainerAppsAuthConfig(ctx, "containerAppsAuthConfig", &app.ContainerAppsAuthConfigArgs{
AuthConfigName: pulumi.String("current"),
ContainerAppName: pulumi.String("myapp"),
EncryptionSettings: &app.EncryptionSettingsArgs{
ContainerAppAuthEncryptionSecretName: pulumi.String("testEncryptionSecretName"),
ContainerAppAuthSigningSecretName: pulumi.String("testSigningSecretName"),
},
GlobalValidation: &app.GlobalValidationArgs{
UnauthenticatedClientAction: app.UnauthenticatedClientActionV2AllowAnonymous,
},
IdentityProviders: &app.IdentityProvidersArgs{
Facebook: &app.FacebookArgs{
Registration: &app.AppRegistrationArgs{
AppId: pulumi.String("123"),
AppSecretSettingName: pulumi.String("facebook-secret"),
},
},
},
Login: &app.LoginArgs{
TokenStore: &app.TokenStoreArgs{
AzureBlobStorage: &app.BlobStorageTokenStoreArgs{
BlobContainerUri: pulumi.String("https://test.blob.core.windows.net/container1"),
ManagedIdentityResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1"),
},
},
},
Platform: &app.AuthPlatformArgs{
Enabled: pulumi.Bool(true),
},
ResourceGroupName: pulumi.String("rg1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var containerAppsAuthConfig = new AzureNative.App.ContainerAppsAuthConfig("containerAppsAuthConfig", new()
{
AuthConfigName = "current",
ContainerAppName = "myapp",
EncryptionSettings = new AzureNative.App.Inputs.EncryptionSettingsArgs
{
ContainerAppAuthEncryptionSecretName = "testEncryptionSecretName",
ContainerAppAuthSigningSecretName = "testSigningSecretName",
},
GlobalValidation = new AzureNative.App.Inputs.GlobalValidationArgs
{
UnauthenticatedClientAction = AzureNative.App.UnauthenticatedClientActionV2.AllowAnonymous,
},
IdentityProviders = new AzureNative.App.Inputs.IdentityProvidersArgs
{
Facebook = new AzureNative.App.Inputs.FacebookArgs
{
Registration = new AzureNative.App.Inputs.AppRegistrationArgs
{
AppId = "123",
AppSecretSettingName = "facebook-secret",
},
},
},
Login = new AzureNative.App.Inputs.LoginArgs
{
TokenStore = new AzureNative.App.Inputs.TokenStoreArgs
{
AzureBlobStorage = new AzureNative.App.Inputs.BlobStorageTokenStoreArgs
{
BlobContainerUri = "https://test.blob.core.windows.net/container1",
ManagedIdentityResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1",
},
},
},
Platform = new AzureNative.App.Inputs.AuthPlatformArgs
{
Enabled = true,
},
ResourceGroupName = "rg1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.app.ContainerAppsAuthConfig;
import com.pulumi.azurenative.app.ContainerAppsAuthConfigArgs;
import com.pulumi.azurenative.app.inputs.EncryptionSettingsArgs;
import com.pulumi.azurenative.app.inputs.GlobalValidationArgs;
import com.pulumi.azurenative.app.inputs.IdentityProvidersArgs;
import com.pulumi.azurenative.app.inputs.FacebookArgs;
import com.pulumi.azurenative.app.inputs.AppRegistrationArgs;
import com.pulumi.azurenative.app.inputs.LoginArgs;
import com.pulumi.azurenative.app.inputs.TokenStoreArgs;
import com.pulumi.azurenative.app.inputs.BlobStorageTokenStoreArgs;
import com.pulumi.azurenative.app.inputs.AuthPlatformArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerAppsAuthConfig = new ContainerAppsAuthConfig("containerAppsAuthConfig", ContainerAppsAuthConfigArgs.builder()
.authConfigName("current")
.containerAppName("myapp")
.encryptionSettings(EncryptionSettingsArgs.builder()
.containerAppAuthEncryptionSecretName("testEncryptionSecretName")
.containerAppAuthSigningSecretName("testSigningSecretName")
.build())
.globalValidation(GlobalValidationArgs.builder()
.unauthenticatedClientAction("AllowAnonymous")
.build())
.identityProviders(IdentityProvidersArgs.builder()
.facebook(FacebookArgs.builder()
.registration(AppRegistrationArgs.builder()
.appId("123")
.appSecretSettingName("facebook-secret")
.build())
.build())
.build())
.login(LoginArgs.builder()
.tokenStore(TokenStoreArgs.builder()
.azureBlobStorage(BlobStorageTokenStoreArgs.builder()
.blobContainerUri("https://test.blob.core.windows.net/container1")
.managedIdentityResourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1")
.build())
.build())
.build())
.platform(AuthPlatformArgs.builder()
.enabled(true)
.build())
.resourceGroupName("rg1")
.build());
}
}
resources:
containerAppsAuthConfig:
type: azure-native:app:ContainerAppsAuthConfig
properties:
authConfigName: current
containerAppName: myapp
encryptionSettings:
containerAppAuthEncryptionSecretName: testEncryptionSecretName
containerAppAuthSigningSecretName: testSigningSecretName
globalValidation:
unauthenticatedClientAction: AllowAnonymous
identityProviders:
facebook:
registration:
appId: '123'
appSecretSettingName: facebook-secret
login:
tokenStore:
azureBlobStorage:
blobContainerUri: https://test.blob.core.windows.net/container1
managedIdentityResourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1
platform:
enabled: true
resourceGroupName: rg1
The managedIdentityResourceId property provides an alternative to clientId by specifying the full Azure resource path to a user-assigned managed identity. This approach is useful when your Container App has multiple user-assigned identities and you need to explicitly select which one accesses Blob Storage. The identity must still have Storage Blob Data Contributor permissions on the target container.
Beyond these examples
These snippets focus on specific authentication configuration features: social identity provider integration, token storage in Blob Storage, and managed identity authentication methods. They’re intentionally minimal rather than full authentication solutions.
The examples reference pre-existing infrastructure such as Container Apps with configured secrets, Azure Blob Storage containers, managed identities (system-assigned or user-assigned), and social provider app registrations (Facebook, etc.). They focus on configuring authentication rather than provisioning the underlying infrastructure.
To keep things focused, common authentication patterns are omitted, including:
- Multiple identity providers (Google, Microsoft, Apple, Twitter)
- Custom authentication providers (OpenID Connect)
- HTTP settings and redirect configuration
- Advanced validation rules and excluded paths
These omissions are intentional: the goal is to illustrate how each authentication feature is wired, not provide drop-in authentication modules. See the ContainerAppsAuthConfig resource reference for all available configuration options.
Let's configure Azure Container Apps Authentication
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Immutability & Resource Naming
What properties can't I change after creating the auth config?
The properties
authConfigName, containerAppName, and resourceGroupName are immutable. Changing them requires recreating the resource.Authentication & Platform Configuration
How do I enable authentication for my Container App?
Set
platform.enabled to true in your configuration. This activates the authentication/authorization platform.How do I handle unauthenticated requests?
Configure
globalValidation.unauthenticatedClientAction to specify the behavior. For example, set it to AllowAnonymous to permit unauthenticated access.Identity Providers & Secrets
How do I configure Facebook as an identity provider?
Use
identityProviders.facebook.registration with appId and appSecretSettingName. The appSecretSettingName should reference a secret containing your Facebook app secret.How do I securely store identity provider secrets?
Use
appSecretSettingName in the identity provider registration to reference a secret name. The actual secret value is stored separately in your Container App’s secrets.What encryption settings are available?
Configure
encryptionSettings with containerAppAuthEncryptionSecretName and containerAppAuthSigningSecretName to reference secrets for encryption and signing keys.Token Storage & Blob Configuration
How do I configure Azure Blob Storage for token storage?
Set
login.tokenStore.azureBlobStorage with blobContainerUri and either clientId or managedIdentityResourceId for authentication.What's the difference between clientId and managedIdentityResourceId for token storage?
Both authenticate to Azure Blob Storage. Use
clientId with a managed identity’s client ID (e.g., 00000000-0000-0000-0000-000000000000), or use managedIdentityResourceId with the full resource ID of a user-assigned managed identity.API Versions & Compatibility
What API version does this resource use?
The resource uses Azure REST API version 2025-02-02-preview by default. In version 2.x of the Azure Native provider, it used 2022-10-01.
How do I use a different API version?
Generate a local SDK package using
pulumi package add azure-native app [ApiVersion]. Available versions include 2022-10-01, 2023-05-01, 2024-03-01, and others listed in the schema.