A production-style cloud microservice built with FastAPI, Docker and Azure Container Apps. The service retrieves secrets securely from Azure Key Vault using Managed Identity and is automatically deployed via GitHub Actions CI/CD.
API : https://aca-hello-fastapi.politesand-7d1fea26.southeastasia.azurecontainerapps.io
Swagger Docs : https://aca-hello-fastapi.politesand-7d1fea26.southeastasia.azurecontainerapps.io/docs
Health Check : https://aca-hello-fastapi.politesand-7d1fea26.southeastasia.azurecontainerapps.io/health
Secret : Health Check : https://aca-hello-fastapi.politesand-7d1fea26.southeastasia.azurecontainerapps.io/secret
FastAPI runs in Azure Container Apps and retrieves secrets securely from Azure Key Vault using Managed Identity. CI/CD is handled through GitHub Actions which builds and deploys the Docker container automatically.
- Python
- FastAPI
- Docker
- Azure Container Apps
- Azure Container Registry
- Azure Key Vault
- Managed Identity
- GitHub Actions CI/CD
GET / Returns service status. Example response { "status": "ok", "message": "Hello from FastAPI on Azure Container Apps" }
GET /health Used for monitoring and container health checks. { "status": "healthy" }
GET /secret Retrieves a secret from Azure Key Vault using Managed Identity. { "secret_name": "sthello", "retrieved": true }
Deployment is automated using GitHub Actions.
Pipeline flow:
- Developer pushes code to GitHub
- GitHub Actions builds Docker image
- Image pushed to Azure Container Registry
- Azure Container Apps pulls new image
- New revision deployed automatically
Secrets are never stored in the codebase.
The application retrieves secrets securely using:
- Azure Managed Identity
- Azure Key Vault
This eliminates the need for credentials or connection strings inside the application.
Install dependencies pip install -r requirements.txt Run application uvicorn src.main:app --host 0.0.0.0 --port 8000
During development several cloud, container and CI/CD integration issues were encountered.
The following table summarizes the key engineering challenges and how they were resolved.
| Problem | Solution |
| Docker build failed due to incorrect build context | Updated GitHub Actions workflow to build using the correct ./app directory |
| Container App deployment failed in CI/CD | Corrected resource group and container app name in deployment configuration |
| Key Vault secret retrieval failed due to invalid name | Renamed secret to follow Azure Key Vault naming rules |
| Secure secret management without credentials | Implemented Azure Managed Identity for Container App to access Key Vault |
- Add Terraform for infrastructure as code
- Implement Azure Monitor / Log Analytics
- Add rate limiting and authentication
- Add unit and integration tests
