From 4854dd4a7f9b9ec0b994af95076b26f4d3d9eeaf Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 1 May 2026 09:56:09 +0000
Subject: [PATCH 1/2] Initial plan


From b50ad56ebbe37123dfabd62a906c5bfe68bef2cd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 1 May 2026 09:58:05 +0000
Subject: [PATCH 2/2] docs: replace STORAGE_ACCOUNT_KEY export with inline
 command substitution

The guide previously exported the storage account key into the shell
environment in three places (Step 2, Step 6 blob creation, Step 6
Option A). Exported variables are visible via `env`, crash dumps, and
shell-history tooling, all of which are undesirable for a high-value
secret.

All three occurrences are now rewritten to use inline command
substitution directly on the `az` argument, so the key value is never
placed in a named shell variable at all.

Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/4e335591-6a37-479b-a7a5-b099b3ac96b0

Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com>
---
 docs/backends/azure-container-apps.md | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/docs/backends/azure-container-apps.md b/docs/backends/azure-container-apps.md
index dff75bf..e7b646a 100644
--- a/docs/backends/azure-container-apps.md
+++ b/docs/backends/azure-container-apps.md
@@ -105,19 +105,17 @@ az storage share-rm create \
   --quota 1024 \
   --enabled-protocols SMB
 
-export STORAGE_ACCOUNT_KEY=$(az storage account keys list \
-  --resource-group $RESOURCE_GROUP \
-  --account-name $STORAGE_ACCOUNT_NAME \
-  --query '[0].value' \
-  --output tsv)
-
 az containerapp env storage set \
   --name $CONTAINER_APP_ENV \
   --resource-group $RESOURCE_GROUP \
   --storage-name $STORAGE_MOUNT_NAME \
   --access-mode ReadWrite \
   --azure-file-account-name $STORAGE_ACCOUNT_NAME \
-  --azure-file-account-key "$STORAGE_ACCOUNT_KEY" \
+  --azure-file-account-key "$(az storage account keys list \
+    --resource-group $RESOURCE_GROUP \
+    --account-name $STORAGE_ACCOUNT_NAME \
+    --query '[0].value' \
+    --output tsv)" \
   --azure-file-share-name $STORAGE_SHARE_NAME
 ```
 
@@ -241,7 +239,11 @@ export BLOB_CONTAINER_NAME=$blobContainerName
 az storage container create \
   --account-name $STORAGE_ACCOUNT_NAME \
   --name $BLOB_CONTAINER_NAME \
-  --account-key "$STORAGE_ACCOUNT_KEY"
+  --account-key "$(az storage account keys list \
+    --resource-group $RESOURCE_GROUP \
+    --account-name $STORAGE_ACCOUNT_NAME \
+    --query '[0].value' \
+    --output tsv)"
 ```
 
 You now have two supported authentication choices for Litestream.
@@ -254,7 +256,11 @@ Set the storage account key as a Container Apps secret:
 az containerapp secret set \
   --name $CONTAINER_APP_NAME \
   --resource-group $RESOURCE_GROUP \
-  --secrets litestream-azure-account-key="$STORAGE_ACCOUNT_KEY"
+  --secrets litestream-azure-account-key="$(az storage account keys list \
+    --resource-group $RESOURCE_GROUP \
+    --account-name $STORAGE_ACCOUNT_NAME \
+    --query '[0].value' \
+    --output tsv)"
 ```
 
 Then update the app configuration: