Manage Azure role assignments
Esta página aún no está disponible en tu idioma.
All Aspire Azure hosting integrations define Azure resources. These resources come with default role assignments. You can replace these default role assignments with built-in role or custom role assignments. In this article, you learn how to manage Azure role assignments on Aspire resources.
Default built-in role assignments
Section titled “Default built-in role assignments”When you add an Azure resource to the AppHost, it’s assigned default roles. If a resource depends on another resource, it inherits the same role assignments as the referenced resource unless explicitly overridden.
Consider a scenario where an API project resource references an Azure Search resource. The API project is given the default role assignments, as shown in the following example:
var builder = DistributedApplication.CreateBuilder(args);
var search = builder.AddAzureSearch("search");
var api = builder.AddProject<Projects.Api>("api") .WithReference(search);In the example code, the api project resource depends on the Azure search resource, meaning it references the search resource. By default, the search resource is assigned the following built-in roles:
Azure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataContributorAzure.Provisioning.Search.SearchBuiltInRole.SearchServiceContributor
These role assignments allow the API project to read and write data to the Azure Search resource, and manage it. However, this behavior might not always be desirable. For instance, you might want to restrict the API project to only read data from the Azure Search resource.
Override default role assignments
Section titled “Override default role assignments”To override the default role assignment, use the WithRoleAssignments APIs and assign built-in roles as shown in the following example:
var builder = DistributedApplication.CreateBuilder(args);
var search = builder.AddAzureSearch("search");
var api = builder.AddProject<Projects.Api>("api") .WithRoleAssignments(search, SearchBuiltInRole.SearchIndexDataReader) .WithReference(search);When you use the WithRoleAssignments method, it replaces the default role assignments with the specified ones. This method requires two parameters: the resource to which the role assignment applies and the built-in role to assign. In the preceding example, the search resource is assigned the Azure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataReader role.
When you replace the default role assignments with the SearchIndexDataReader role, the API project is restricted to only reading data from the Azure Search resource. This ensures the API project can’t write data to the Azure Search resource.
For more information, see Azure built-in roles.
Built-in role assignment reference
Section titled “Built-in role assignment reference”All built-in roles are defined within the `Azure.Provisioning> namespaces and are included in the corresponding 📦 Azure.Provisioning.* NuGet packages. Each Aspire Azure hosting integration automatically depends on the appropriate provisioning package. For more information, see Customized Azure resources.
The following sections list the built-in roles for each Azure provisioning type that can be used as a parameter to the WithRoleAssignments API.
Azure App Configuration
Section titled “Azure App Configuration”The provisioning resource type is Azure.Provisioning.AppConfiguration.AppConfigurationStore>, and the built-in roles are defined in the Azure.Provisioning.AppConfiguration.AppConfigurationBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.AppConfiguration.AppConfigurationBuiltInRole.AppConfigurationDataOwnerAzure.Provisioning.AppConfiguration.AppConfigurationBuiltInRole.AppConfigurationDataReader
Azure App Container
Section titled “Azure App Container”The provisioning resource type is Azure.Provisioning.AppContainers.ContainerApp>, and the built-in roles are defined in the Azure.Provisioning.AppContainers.AppContainersBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.AppContainers.AppContainersBuiltInRole.ContributorAzure.Provisioning.AppContainers.AppContainersBuiltInRole.OwnerAzure.Provisioning.AppContainers.AppContainersBuiltInRole.Reader
For more information, see Configure Azure Container Apps environments.
Azure Application Insights
Section titled “Azure Application Insights”The provisioning resource type is Azure.Provisioning.ApplicationInsights.ApplicationInsightsComponent, and the built-in roles are defined in the Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole struct. The built-in roles are:
Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.ApplicationInsightsComponentContributorAzure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.ApplicationInsightsSnapshotDebuggerAzure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.MonitoringContributorAzure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.MonitoringMetricsPublisherAzure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.MonitoringReaderAzure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.WorkbookContributorAzure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.WorkbookReader
Azure AI (formerly Cognitive Services)
Section titled “Azure AI (formerly Cognitive Services)”The provisioning resource type is Azure.Provisioning.CognitiveServices.CognitiveServicesAccount>, and the built-in roles are defined in the Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.AzureAIDeveloperAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.AzureAIEnterpriseNetworkConnectionApproverAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.AzureAIInferenceDeploymentOperatorAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesContributorAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionContributorAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionDeploymentAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionLabelerAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionReaderAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionTrainerAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesDataReaderAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesFaceRecognizerAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesMetricsAdvisorAdministratorAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributorAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesOpenAIUserAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesOpenAIUserAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesQnAMakerEditorAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesQnAMakerReaderAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesUsagesReaderAzure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesUser
For more information, see Aspire Azure OpenAI integration.
Azure Cosmos DB
Section titled “Azure Cosmos DB”The provisioning resource type is Azure.Provisioning.CosmosDB.CosmosDBAccount>, and the built-in roles are defined in the Azure.Provisioning.CosmosDB.CosmosDBBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.CosmosDB.CosmosDBBuiltInRole.CosmosDBOperatorAzure.Provisioning.CosmosDB.CosmosDBBuiltInRole.CosmosBackupOperatorAzure.Provisioning.CosmosDB.CosmosDBBuiltInRole.CosmosRestoreOperator
For more information, see:
Azure Event Hubs
Section titled “Azure Event Hubs”The provisioning resource type is Azure.Provisioning.EventHubs.EventHubsNamespace>, and the built-in roles are defined in the Azure.Provisioning.EventHubs.EventHubsBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.EventHubs.EventHubsBuiltInRole.AzureEventHubsDataOwnerAzure.Provisioning.EventHubs.EventHubsBuiltInRole.AzureEventHubsDataReceiverAzure.Provisioning.EventHubs.EventHubsBuiltInRole.AzureEventHubsDataSenderAzure.Provisioning.EventHubs.EventHubsBuiltInRole.SchemaRegistryContributorAzure.Provisioning.EventHubs.EventHubsBuiltInRole.SchemaRegistryReader
For more information, see Aspire Azure Event Hubs integration.
Azure Key Vault
Section titled “Azure Key Vault”The provisioning resource type is Azure.Provisioning.KeyVault.KeyVaultService>, and the built-in roles are defined in the Azure.Provisioning.KeyVault.KeyVaultBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultAdministratorAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCertificatesOfficerAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCertificateUserAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultContributorAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCryptoOfficerAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCryptoServiceEncryptionUserAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCryptoServiceReleaseUserAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCryptoUserAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultDataAccessAdministratorAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultDataAccessAdministratorAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultReaderAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultSecretsOfficerAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultSecretsUserAzure.Provisioning.KeyVault.KeyVaultBuiltInRole.ManagedHsmContributor
For more information, see Aspire Azure Key Vault integration.
Azure AI Search
Section titled “Azure AI Search”The provisioning resource type is Azure.Provisioning.Search.SearchService>, and the built-in roles are defined in the Azure.Provisioning.Search.SearchBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataContributorAzure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataReaderAzure.Provisioning.Search.SearchBuiltInRole.SearchServiceContributor
For more information, see Aspire Azure AI Search integration.
Azure Service Bus
Section titled “Azure Service Bus”The provisioning resource type is Azure.Provisioning.ServiceBus.ServiceBusNamespace>, and the built-in roles are defined in the Azure.Provisioning.ServiceBus.ServiceBusBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.ServiceBus.ServiceBusBuiltInRole.AzureServiceBusDataOwnerAzure.Provisioning.ServiceBus.ServiceBusBuiltInRole.AzureServiceBusDataReceiverAzure.Provisioning.ServiceBus.ServiceBusBuiltInRole.AzureServiceBusDataSender
For more information, see Aspire Azure Service Bus integration.
Azure SignalR Service
Section titled “Azure SignalR Service”The provisioning resource type is Azure.Provisioning.SignalR.SignalRService>, and the built-in roles are defined in the Azure.Provisioning.SignalR.SignalRBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.SignalR.SignalRBuiltInRole.SignalRAccessKeyReaderAzure.Provisioning.SignalR.SignalRBuiltInRole.SignalRAppServerAzure.Provisioning.SignalR.SignalRBuiltInRole.SignalRContributorAzure.Provisioning.SignalR.SignalRBuiltInRole.SignalRRestApiOwnerAzure.Provisioning.SignalR.SignalRBuiltInRole.SignalRRestApiReaderAzure.Provisioning.SignalR.SignalRBuiltInRole.SignalRServiceOwner
For more information, see Aspire support for Azure SignalR Service.
Azure SQL
Section titled “Azure SQL”The provisioning resource type is Azure.Provisioning.Sql.SqlServer>, and the built-in roles are defined in the Azure.Provisioning.Sql.SqlBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.Sql.SqlBuiltInRole.AzureConnectedSqlServerOnboardingAzure.Provisioning.Sql.SqlBuiltInRole.SqlDBContributor?displayProperty=nameWithTypeAzure.Provisioning.Sql.SqlBuiltInRole.SqlManagedInstanceContributorAzure.Provisioning.Sql.SqlBuiltInRole.SqlSecurityManagerAzure.Provisioning.Sql.SqlBuiltInRole.SqlServerContributor
For more information, see Aspire Azure SQL integration.
Azure Storage
Section titled “Azure Storage”The provisioning resource type is Azure.Provisioning.Storage.StorageAccount, and the built-in roles are defined in the Azure.Provisioning.Storage.StorageBuiltInRole struct. The built-in roles are:
Azure.Provisioning.Storage.StorageBuiltInRole.ClassicStorageAccountContributorAzure.Provisioning.Storage.StorageBuiltInRole.ClassicStorageAccountKeyOperatorServiceRoleAzure.Provisioning.Storage.StorageBuiltInRole.StorageAccountBackupContributorAzure.Provisioning.Storage.StorageBuiltInRole.StorageAccountContributorAzure.Provisioning.Storage.StorageBuiltInRole.StorageAccountKeyOperatorServiceRoleAzure.Provisioning.Storage.StorageBuiltInRole.StorageBlobDataContributorAzure.Provisioning.Storage.StorageBuiltInRole.StorageBlobDataOwnerAzure.Provisioning.Storage.StorageBuiltInRole.StorageBlobDataReaderAzure.Provisioning.Storage.StorageBuiltInRole.StorageBlobDelegatorAzure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataPrivilegedContributorAzure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataPrivilegedReaderAzure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataSmbShareContributorAzure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataSmbShareElevatedContributorAzure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataSmbShareReaderAzure.Provisioning.Storage.StorageBuiltInRole.StorageQueueDataContributorAzure.Provisioning.Storage.StorageBuiltInRole.StorageQueueDataMessageProcessorAzure.Provisioning.Storage.StorageBuiltInRole.StorageQueueDataMessageSenderAzure.Provisioning.Storage.StorageBuiltInRole.StorageQueueDataReaderAzure.Provisioning.Storage.StorageBuiltInRole.StorageTableDataContributorAzure.Provisioning.Storage.StorageBuiltInRole.StorageTableDataReader
For more information, see:
- Aspire Azure Blob Storage integration
- Aspire Azure Data Tables integration
- Aspire Azure Queue Storage integration
Azure Web PubSub
Section titled “Azure Web PubSub”The provisioning resource type is Azure.Provisioning.WebPubSub.WebPubSubService>, and the built-in roles are defined in the Azure.Provisioning.WebPubSub.WebPubSubBuiltInRole> struct. The built-in roles are:
Azure.Provisioning.WebPubSub.WebPubSubBuiltInRole.WebPubSubContributorAzure.Provisioning.WebPubSub.WebPubSubBuiltInRole.WebPubSubServiceOwnerAzure.Provisioning.WebPubSub.WebPubSubBuiltInRole.WebPubSubServiceReader
For more information, see Aspire Azure Web PubSub integration.