Edit

Share via

Manage Azure role assignments

All .NET Aspire Azure hosting integrations define Azure resources. These resources come with default role assignments. You can replace these default role assignments with built-in role or custom role assignments. In this article, you learn how to manage Azure role assignments on .NET Aspire resources.

Default built-in role assignments

When you add an Azure resource to the app model, it's assigned default roles. If a resource depends on another resource, it inherits the same role assignments as the referenced resource unless explicitly overridden.

Consider a scenario where an API project resource references an Azure Search resource. The API project is given the default role assignments, as shown in the following example:

var builder = DistributedApplication.CreateBuilder(args);

var search = builder.AddAzureSearch("search");

var api = builder.AddProject<Projects.Api>("api")
                 .WithReference(search);

In the example code, the api project resource depends on the Azure search resource, meaning it references the search resource. By default, the search resource is assigned the following built-in roles:

These role assignments allow the API project to read and write data to the Azure Search resource, and manage it. However, this behavior might not always be desirable. For instance, you might want to restrict the API project to only read data from the Azure Search resource.

Override default role assignments

To override the default role assignment, use the WithRoleAssignments API and assign built-in roles as shown in the following example:

var builder = DistributedApplication.CreateBuilder(args);

var search = builder.AddAzureSearch("search");

var api = builder.AddProject<Projects.Api>("api")
                 .WithRoleAssignments(search, SearchBuiltInRole.SearchIndexDataReader)
                 .WithReference(search);

When you use the WithRoleAssignments method, it replaces the default role assignments with the specified ones. This method requires two parameters: the resource to which the role assignment applies and the built-in role to assign. In the preceding example, the search resource is assigned the SearchBuiltInRole.SearchIndexDataReader role.

When you replace the default role assignments with the SearchIndexDataReader role, the API project is restricted to only reading data from the Azure Search resource. This ensures the API project can't write data to the Azure Search resource.

For more information, see Azure built-in roles.

Built-in role assignment reference

All built-in roles are defined within the Azure.Provisioning namespaces and are included in the corresponding 📦 Azure.Provisioning.* NuGet packages. Each .NET Aspire Azure hosting integration automatically depends on the appropriate provisioning package. For more information, see Infrastructure as code.

The following sections list the built-in roles for each Azure provisioning type that can be used as a parameter to the WithRoleAssignments API.

Azure App Configuration

The provisioning resource type is AppConfigurationStore, and the built-in roles are defined in the AppConfigurationBuiltInRole struct. The built-in roles are:

Azure App Container

The provisioning resource type is ContainerApp, and the built-in roles are defined in the AppContainersBuiltInRole struct. The built-in roles are:

Azure Application Insights

The provisioning resource type is ApplicationInsightsComponent, and the built-in roles are defined in the ApplicationInsightsBuiltInRole struct. The built-in roles are:

For more information, see Use Application Insights for .NET Aspire telemetry.

Azure AI (formerly Cognitive Services)

The provisioning resource type is CognitiveServicesAccount, and the built-in roles are defined in the CognitiveServicesBuiltInRole struct. The built-in roles are:

For more information, see .NET Aspire Azure OpenAI integration (Preview).

Azure Cosmos DB

The provisioning resource type is CosmosDBAccount, and the built-in roles are defined in the CosmosDBBuiltInRole struct. The built-in roles are:

For more information, see:

Azure Event Hubs

The provisioning resource type is EventHubsNamespace, and the built-in roles are defined in the EventHubsBuiltInRole struct. The built-in roles are:

For more information, see .NET Aspire Azure Event Hubs integration.

Azure Key Vault

The provisioning resource type is KeyVaultService, and the built-in roles are defined in the KeyVaultBuiltInRole struct. The built-in roles are:

For more information, see .NET Aspire Azure Key Vault integration.

The provisioning resource type is SearchService, and the built-in roles are defined in the SearchBuiltInRole struct. The built-in roles are:

For more information, see .NET Aspire Azure AI Search integration.

Azure Service Bus

The provisioning resource type is ServiceBusNamespace, and the built-in roles are defined in the ServiceBusBuiltInRole struct. The built-in roles are:

For more information, see .NET Aspire Azure Service Bus integration.

Azure SignalR Service

The provisioning resource type is SignalRService, and the built-in roles are defined in the SignalRBuiltInRole struct. The built-in roles are:

For more information, see .NET Aspire support for Azure SignalR Service.

Azure SQL

The provisioning resource type is SqlServer, and the built-in roles are defined in the SqlBuiltInRole struct. The built-in roles are:

Azure Storage

The provisioning resource type is StorageAccount, and the built-in roles are defined in the StorageBuiltInRole struct. The built-in roles are:

For more information, see:

Azure Web PubSub

The provisioning resource type is WebPubSubService, and the built-in roles are defined in the WebPubSubBuiltInRole struct. The built-in roles are:

For more information, see .NET Aspire Azure Web PubSub integration.

See also