How to set up an Azure Container Instance (Linux, Windows) to run Python & pull secrets from KeyVault

My GitHub repo shows how to use Azure Container Instance to execute a Python script. It also shows how to build the container image that runs the Python in both Windows & Linux. In addition, it shows how to pull a connection string from KeyVault and make it available to the running container code. Finally, it shows how to set up an Azure Logic App to run this container on a schedule.

Disclaimer

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Prerequisites

• Docker Desktop for Windows
• Azure CLI
• Azure subscription & resource group
• Python 3.8 or greater

Review the container instance running in Azure

1. Navigate to the Azure portal and navigate to your subscription & resource group.
2. Click on one of the Azure Container Instance instances.
3. On the Containers tab, you can see that the container is now terminated (since it ran to completion).
4. Click on the Logs tab to see the logs the container generated as it ran. These should match the values that were output by the Python script when running locally.

1. Click on the Properties tab to see the container instance properties, including the environment variable that stores the storage account connection string that was retrieved from the Key Vault.

How to get the storage account connection string secret from the Key Vault into the Azure Container Instance

We need the Python code running inside the Container Instance to be able to access the storage account connection string. We can get the storage account connection string secret from the KeyVault and store it in an environment variable. Normally, this would be done by using a managed identity that has access to the KeyVault, but Windows container instances can’t use managed identity at this time (and it is in preview for Linux containers).

Therefore, we can pull this secret at deployment time as part of the Azure Resource Manager deployment. ARM will pull the secret and store the value as an environment variable in the container instance.

Review the Logic App

1. Navigate to the Azure portal and navigate to your subscription & resource group.
2. Click on the Logic App resource.
3. The first execution is likely to have failed because the aci connection was not initialized on initial deployment. Re-run the Logic App to ensure it runs. Click on the Run Trigger->Run button on the Overview blade.
4. Click on the most recent run on the Runs history tab on the Overview blade.

This Logic App will run once per day and start the Azure Container Instance.

Links

• Azure Container Instance
• Docker commands
• Azure Logic Apps