Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add role assignments with .NET Aspire #2891

Merged
merged 8 commits into from
Mar 31, 2025
Merged

Add role assignments with .NET Aspire #2891

merged 8 commits into from
Mar 31, 2025

Conversation

IEvangelist
Copy link
Member

@IEvangelist IEvangelist commented Mar 25, 2025
edited by github-actions bot
Loading

Summary

Add role assignments with .NET Aspire

Fixes #2788

Internal previews

📄 File 🔗 Preview link
docs/azure/integrations-overview.md .NET Aspire Azure integrations overview
docs/azure/role-assignments.md Manage Azure role assignments
docs/toc.yml docs/toc

adegeo
adegeo approved these changes Mar 25, 2025
View reviewed changes
Copy link
Contributor

@adegeo adegeo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice article. Reviewing this stuff continues to educate me on Aspire.

Approved to unblock, but some fixes required.

And don't forget to put the article in the TOC.

@IEvangelist IEvangelist requested a review from eerhardt March 26, 2025 16:09
@IEvangelist IEvangelist marked this pull request as ready for review March 26, 2025 16:09
@IEvangelist IEvangelist merged commit aea3d8d into dotnet:release-9.2 Mar 31, 2025
6 checks passed
eerhardt
eerhardt reviewed Apr 1, 2025
View reviewed changes
docs/azure/role-assignments.md
.WithReference(search);
```

When you use the `WithRoleAssignments` method, it replaces the default role assignments with the specified ones. This method requires two parameters: the resource to which the role assignment applies and the built-in role to assign. In the preceding example, the `search` resource is assigned the <xref:Azure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataReader?displayProperty=nameWithType> role.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the preceding example, the search resource is assigned the xref:Azure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataReader?displayProperty=nameWithType role.

I would flip this wording. It isn't the search resource that is assigned that role. Instead, the api project is assigned that role to the search resource.

eerhardt
eerhardt reviewed Apr 1, 2025
View reviewed changes
docs/azure/role-assignments.md
For more information, see [.NET Aspire Azure App Container integration](../hosting/azure-app-container-integration.md).
-->

### Azure Application Insights
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't support App Insights role assignments. We actually don't grant any right now, even by default.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logged Aspire.Hosting.Azure.ApplicationInsights should configure Microsoft Entra authentication (dotnet/aspire#8480) for this.

eerhardt
eerhardt reviewed Apr 1, 2025
View reviewed changes
docs/azure/role-assignments.md

For more information, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles).

## Built-in role assignment reference
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there not somewhere in Azure we could put these? This doesn't seem like our list to maintain.

eerhardt
eerhardt reviewed Apr 1, 2025
View reviewed changes
docs/azure/role-assignments.md
To override the default role assignment, use the `WithRoleAssignments` API and assign built-in roles as shown in the following example:

```csharp
var builder = DistributedApplication.CreateBuilder(args);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your app needs to use a compute environment that supports role assignments. In 9.2 the only one we support is Azure Container Apps. So you need to call either:

  • Aspire.Hosting.AzureContainerAppExtensions.AddAzureContainerAppEnvironment
  • Aspire.Hosting.AzureContainerAppExtensions.AddAzureContainerAppsInfrastructure

In order for role assignments to work. If you don't enable ACA infrastructure, an exception is thrown when your app starts if you call .WithRoleAssignments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eerhardt eerhardt eerhardt left review comments

@adegeo adegeo adegeo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@IEvangelist @eerhardt @adegeo