Secret Reference Failures
Use this query to identify failures caused by missing secrets, invalid secret references, or Key Vault access problems.
Data Source
| Table | Schema Note |
ContainerAppSystemLogs_CL | Legacy schema. If empty, try ContainerAppSystemLogs (non-_CL). |
Query Pipeline
flowchart LR
A[Filter by app] --> B[Filter secret and Key Vault signals] --> C[Project reason and revision] --> D[Sort by time]
Query
let AppName = "my-container-app";
ContainerAppSystemLogs_CL
| where ContainerAppName_s == AppName
| where Log_s has_any ("secret", "secretRef", "KeyVault", "vault", "denied", "reference")
| project TimeGenerated, RevisionName_s, Reason_s, Log_s
| order by TimeGenerated desc
Example Output
| TimeGenerated | RevisionName_s | Reason_s | Log_s |
| 2026-04-04T11:50:06.302Z | ca-myapp--0000003 | RevisionUpdate | secretRef 'storage-conn' not found in revision template |
| 2026-04-04T11:50:06.301Z | ca-myapp--0000003 | RevisionUpdate | KeyVault reference resolution failed: access denied |
| 2026-04-04T11:49:58.820Z | ca-myapp--0000003 | ContainerAppUpdate | validating secret references before revision activation |
Interpretation Notes
- Secret reference errors during provisioning often block revision activation.
- Vault-related denied errors usually point to identity permission scope.
- Normal pattern: no secret errors after stable rollout.
Limitations
- Error string wording may vary by platform updates.
- Must correlate with
az containerapp secret list and identity checks.
See Also