Skip to content

[Breaking change]: BicepSecretOutputReference and GetSecretOutput are now obsolete #3670

New issue
New issue
Open
Open
[Breaking change]: BicepSecretOutputReference and GetSecretOutput are now obsolete#3670
Assignees
IEvangelist
Labels
Pri1High priority, do before Pri2 and Pri3area-docsdoc-ideaIndicates issues that are suggestions for new topics [org][type][category]⛓️‍💥 breaking-changeIssues or PRs tracking breaking changes.
Milestone
 
9.4
@davidfowl

Description

@davidfowl
davidfowl
opened on May 29, 2025

Description

BicepSecretOutputReference, the helper method GetSecretOutput(...), and the overload of WithEnvironment that accepted a BicepSecretOutputReference have been deprecated ([Obsolete]) and their automatic Key Vault–generation logic has been removed.
Projects that relied on these APIs for “magic” secret wiring must migrate to the new IAzureKeyVaultSecretReference flow or model Key Vault resources explicitly.

Version

Other (please put exact version in description textbox)

Previous behavior

var db = builder.AddAzureCosmosDB("mydb")WithAccessKeyAuthentication();

// Secret-output helper returned a BicepSecretOutputReference.
// Aspire auto-generated a Key Vault and secretUri wiring.
builder.AddContainer("api", "image")
       .WithEnvironment("ConnStr", db.GetSecretOutput("connectionString"));

New behavior

var kv = builder.AddAzureKeyVault("kv");
builder.AddContainer("api", "image")
       .WithEnvironment("ConnStr", kv.GetSecret("connectionString"));

  • GetSecretOutput(...) is now obsolete and will be removed in a future release.

  • Aspire no longer creates Key Vaults or secrets automatically; callers must supply an IAzureKeyVaultSecretReference or other value themselves.

Type of breaking change

  • Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
  • Behavioral change: Existing binaries might behave differently at run time.

Reason for change

Implicit Key Vault creation made deployments opaque and fragile. Removing the secret-output shortcut aligns Aspire with its explicit-resource philosophy, giving developers full control over secret management and simplifying infrastructure generation.

Recommended action

  1. Create or reference a Key Vault in your Aspire graph:
var kv = builder.AddAzureKeyVault("kv");
  1. Replace GetSecretOutput usage with an explicit secret reference:
builder.AddContainer("api", "image")
       .WithEnvironment("ConnStr", kv.GetSecret("connectionString"));
  1. Remove obsolete WithEnvironment(string, BicepSecretOutputReference) overloads and switch to WithEnvironment(string, IAzureKeyVaultSecretReference) (or another appropriate overload).

Aspire's resources with support for keys have already been updated to handle this new change.

Affected APIs

Affected APIs

Namespace / Type Member Change
Aspire.Hosting.Azure BicepSecretOutputReference Marked [Obsolete]; functionality removed
AzureBicepResourceExtensions GetSecretOutput Marked [Obsolete]
AzureBicepResourceExtensions WithEnvironment(string, BicepSecretOutputReference) Marked [Obsolete]
Aspire.Hosting.Azure.AppContainers Automatic Key Vault generation Removed

Metadata

Metadata

Assignees

Labels

Pri1High priority, do before Pri2 and Pri3area-docsdoc-ideaIndicates issues that are suggestions for new topics [org][type][category]⛓️‍💥 breaking-changeIssues or PRs tracking breaking changes.

Type

No type

Projects

dotnet/docs June 2025 sprint project

Status

🔖 Ready

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions