# Manage Azure role assignments Azure RBAC icon All Aspire Azure hosting integrations define Azure resources. These resources come with default role assignments. You can replace these default role assignments with built-in roles or [custom role assignments](/integrations/cloud/azure/customize-resources/). In this article, you learn how to manage Azure role assignments on Aspire resources. ## Default built-in role assignments When you add an Azure resource to the [AppHost](/get-started/app-host/), it's assigned default roles. If a resource depends on another resource, it inherits the same role assignments as the referenced resource unless explicitly overridden. Consider a scenario where an API project resource references an [Azure Search](/integrations/cloud/azure/azure-ai-search/azure-ai-search-get-started/) resource. The API project is given the default role assignments, as shown in the following example: ```csharp title="C# — AppHost.cs" var builder = DistributedApplication.CreateBuilder(args); var search = builder.AddAzureSearch("search"); var api = builder.AddProject("api") .WithReference(search); ```` ```typescript title="TypeScript — apphost.mts" twoslash import { createBuilder } from './.aspire/modules/aspire.mjs'; const builder = await createBuilder(); const search = await builder.addAzureSearch("search"); const api = await builder.addProject("api", "../Api/Api.csproj"); await api.withReference(search); ```` In the example code, the `api` project resource depends on the Azure `search` resource, meaning it references the `search` resource. By default, the `search` resource is assigned the following built-in roles: - `Azure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataContributor` - `Azure.Provisioning.Search.SearchBuiltInRole.SearchServiceContributor` These role assignments allow the API project to read and write data to the Azure Search resource, and manage it. However, this behavior might not always be desirable. For instance, you might want to restrict the API project to only read data from the Azure Search resource. ## Override default role assignments To override the default role assignment, use the [WithRoleAssignments APIs](https://learn.microsoft.com/dotnet/api/?preserve-view=true&view=dotnet-aspire-13.0&term=WithRoleAssignments) and assign built-in roles as shown in the following example: ```csharp title="C# — AppHost.cs" var builder = DistributedApplication.CreateBuilder(args); var search = builder.AddAzureSearch("search"); var api = builder.AddProject("api") .WithRoleAssignments(search, SearchBuiltInRole.SearchIndexDataReader) .WithReference(search); ```` ```typescript title="TypeScript — apphost.mts" twoslash import { AzureSearchRole, createBuilder } from './.aspire/modules/aspire.mjs'; const builder = await createBuilder(); const search = await builder.addAzureSearch("search"); const api = await builder.addProject("api", "../Api/Api.csproj"); await api.withSearchRoleAssignments(search, [AzureSearchRole.SearchIndexDataReader]); await api.withReference(search); ```` When you use the `WithRoleAssignments` method in C# or a resource-specific TypeScript role assignment method such as `withSearchRoleAssignments`, it replaces the default role assignments with the specified ones. This method requires two parameters: the resource to which the role assignment applies and the built-in role to assign. In the preceding example, the `search` resource is assigned the `Azure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataReader` role. When you replace the default role assignments with the `SearchIndexDataReader` role, the API project is restricted to only reading data from the Azure Search resource. This ensures the API project can't write data to the Azure Search resource. For more information, see [Azure built-in roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles). ## Inspect role assignments programmatically Aspire represents each set of role assignments as an `AzureRoleAssignmentResource` in the distributed application model. You can enumerate these resources to inspect what role assignments are configured, which Azure resource they target, and which Aspire resource owns them. This is useful in [pipeline steps](/deployment/pipelines/) that need to reason about security configuration before deployment. `AzureRoleAssignmentResource` exposes three properties: | Property | Type | Description | | --------------------- | ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `TargetAzureResource` | `AzureProvisioningResource` | The Azure resource that the roles are assigned on (the scope, for example, a Key Vault or Storage account). | | `OwnerResource` | `IResource?` | The Aspire resource whose managed identity receives the role assignments (the resource on which `WithRoleAssignments` was called). `null` for global role assignments granted to the deployment principal. | | `IdentityResource` | `AzureUserAssignedIdentityResource?` | The user-assigned managed identity whose principal receives the role assignments. `null` for global role assignments granted to the deployment principal. | The following example shows how to add a pipeline step that runs during `WellKnownPipelineSteps.BeforeStart` and enumerates all `AzureRoleAssignmentResource` instances that target a specific Azure resource: ```csharp title="AppHost.cs" #pragma warning disable ASPIREAZURE001 // AzureEnvironmentResource is Experimental var builder = DistributedApplication.CreateBuilder(args); var keyVault = builder.AddAzureKeyVault("vault"); builder.AddProject("api") .WithReference(keyVault); builder.Pipeline.AddStep( "inspect-role-assignments", async context => { var roleAssignments = context.Model.Resources .OfType() .Where(r => r.TargetAzureResource == keyVault.Resource) .ToList(); foreach (var ra in roleAssignments) { Console.WriteLine($"Owner: {ra.OwnerResource?.Name}, Identity: {ra.IdentityResource?.Name}"); } }, dependsOn: AzureEnvironmentResource.PrepareResourcesStepName, requiredBy: WellKnownPipelineSteps.BeforeStart); builder.Build().Run(); ``` :::note TypeScript AppHost support for inspecting role assignments through pipeline steps isn't yet available. ::: :::note `OwnerResource` and `IdentityResource` are both `null` for global role assignments granted to the deployment principal. When either property is non-`null`, both are non-`null`. ::: ## Built-in role assignment reference All built-in roles are defined within the `Azure.Provisioning` namespaces and are included in the corresponding [📦 Azure.Provisioning.\*](https://www.nuget.org/packages?q=Azure.Provisioning) NuGet packages. Each Aspire Azure hosting integration automatically depends on the appropriate provisioning package. For more information, see [Customized Azure resources](/integrations/cloud/azure/customize-resources/). The following sections list the built-in roles for each Azure provisioning type that can be used as a parameter to the `WithRoleAssignments` API. ### Azure App Configuration The provisioning resource type is `Azure.Provisioning.AppConfiguration.AppConfigurationStore`, and the built-in roles are defined in the `Azure.Provisioning.AppConfiguration.AppConfigurationBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.AppConfiguration.AppConfigurationBuiltInRole.AppConfigurationDataOwner` - `Azure.Provisioning.AppConfiguration.AppConfigurationBuiltInRole.AppConfigurationDataReader` ### Azure App Container The provisioning resource type is `Azure.Provisioning.AppContainers.ContainerApp`, and the built-in roles are defined in the `Azure.Provisioning.AppContainers.AppContainersBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.AppContainers.AppContainersBuiltInRole.Contributor` - `Azure.Provisioning.AppContainers.AppContainersBuiltInRole.Owner` - `Azure.Provisioning.AppContainers.AppContainersBuiltInRole.Reader` For more information, see [Configure Azure Container Apps environments](/integrations/cloud/azure/configure-container-apps/). ### Azure Application Insights The provisioning resource type is `Azure.Provisioning.ApplicationInsights.ApplicationInsightsComponent`, and the built-in roles are defined in the `Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.ApplicationInsightsComponentContributor` - `Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.ApplicationInsightsSnapshotDebugger` - `Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.MonitoringContributor` - `Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.MonitoringMetricsPublisher` - `Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.MonitoringReader` - `Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.WorkbookContributor` - `Azure.Provisioning.ApplicationInsights.ApplicationInsightsBuiltInRole.WorkbookReader` ### Azure AI (formerly Cognitive Services) The provisioning resource type is `Azure.Provisioning.CognitiveServices.CognitiveServicesAccount`, and the built-in roles are defined in the `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.AzureAIDeveloper` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.AzureAIEnterpriseNetworkConnectionApprover` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.AzureAIInferenceDeploymentOperator` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesContributor` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionContributor` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionDeployment` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionLabeler` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionReader` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesCustomVisionTrainer` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesDataReader` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesFaceRecognizer` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesMetricsAdvisorAdministrator` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesOpenAIUser` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesQnAMakerEditor` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesQnAMakerReader` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesUsagesReader` - `Azure.Provisioning.CognitiveServices.CognitiveServicesBuiltInRole.CognitiveServicesUser` For more information, see [Aspire Azure OpenAI integration](/integrations/cloud/azure/azure-openai/azure-openai-get-started/). ### Azure Cosmos DB The provisioning resource type is `Azure.Provisioning.CosmosDB.CosmosDBAccount`, and the built-in roles are defined in the `Azure.Provisioning.CosmosDB.CosmosDBBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.CosmosDB.CosmosDBBuiltInRole.CosmosDBOperator` - `Azure.Provisioning.CosmosDB.CosmosDBBuiltInRole.CosmosBackupOperator` - `Azure.Provisioning.CosmosDB.CosmosDBBuiltInRole.CosmosRestoreOperator` For more information, see [Aspire Azure Cosmos DB integration](/integrations/cloud/azure/azure-cosmos-db/azure-cosmos-db-get-started/). ### Azure Event Hubs The provisioning resource type is `Azure.Provisioning.EventHubs.EventHubsNamespace`, and the built-in roles are defined in the `Azure.Provisioning.EventHubs.EventHubsBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.EventHubs.EventHubsBuiltInRole.AzureEventHubsDataOwner` - `Azure.Provisioning.EventHubs.EventHubsBuiltInRole.AzureEventHubsDataReceiver` - `Azure.Provisioning.EventHubs.EventHubsBuiltInRole.AzureEventHubsDataSender` - `Azure.Provisioning.EventHubs.EventHubsBuiltInRole.SchemaRegistryContributor` - `Azure.Provisioning.EventHubs.EventHubsBuiltInRole.SchemaRegistryReader` For more information, see [Aspire Azure Event Hubs integration](/integrations/cloud/azure/azure-event-hubs/azure-event-hubs-get-started/). ### Azure Key Vault The provisioning resource type is `Azure.Provisioning.KeyVault.KeyVaultService`, and the built-in roles are defined in the `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultAdministrator` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCertificatesOfficer` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCertificateUser` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultContributor` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCryptoOfficer` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCryptoServiceEncryptionUser` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCryptoServiceReleaseUser` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultCryptoUser` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultDataAccessAdministrator` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultReader` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultSecretsOfficer` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.KeyVaultSecretsUser` - `Azure.Provisioning.KeyVault.KeyVaultBuiltInRole.ManagedHsmContributor` For more information, see [Aspire Azure Key Vault integration](/integrations/cloud/azure/azure-key-vault/azure-key-vault-get-started/). ### Azure AI Search The provisioning resource type is `Azure.Provisioning.Search.SearchService`, and the built-in roles are defined in the `Azure.Provisioning.Search.SearchBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataContributor` - `Azure.Provisioning.Search.SearchBuiltInRole.SearchIndexDataReader` - `Azure.Provisioning.Search.SearchBuiltInRole.SearchServiceContributor` For more information, see [Aspire Azure AI Search integration](/integrations/cloud/azure/azure-ai-search/azure-ai-search-get-started/). ### Azure Service Bus The provisioning resource type is `Azure.Provisioning.ServiceBus.ServiceBusNamespace`, and the built-in roles are defined in the `Azure.Provisioning.ServiceBus.ServiceBusBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.ServiceBus.ServiceBusBuiltInRole.AzureServiceBusDataOwner` - `Azure.Provisioning.ServiceBus.ServiceBusBuiltInRole.AzureServiceBusDataReceiver` - `Azure.Provisioning.ServiceBus.ServiceBusBuiltInRole.AzureServiceBusDataSender` For more information, see [Aspire Azure Service Bus integration](/integrations/cloud/azure/azure-service-bus/azure-service-bus-get-started/). ### Azure SignalR Service The provisioning resource type is `Azure.Provisioning.SignalR.SignalRService`, and the built-in roles are defined in the `Azure.Provisioning.SignalR.SignalRBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.SignalR.SignalRBuiltInRole.SignalRAccessKeyReader` - `Azure.Provisioning.SignalR.SignalRBuiltInRole.SignalRAppServer` - `Azure.Provisioning.SignalR.SignalRBuiltInRole.SignalRContributor` - `Azure.Provisioning.SignalR.SignalRBuiltInRole.SignalRRestApiOwner` - `Azure.Provisioning.SignalR.SignalRBuiltInRole.SignalRRestApiReader` - `Azure.Provisioning.SignalR.SignalRBuiltInRole.SignalRServiceOwner` For more information, see [Aspire support for Azure SignalR Service](/integrations/cloud/azure/azure-signalr/azure-signalr-get-started/). ### Azure SQL The provisioning resource type is `Azure.Provisioning.Sql.SqlServer`, and the built-in roles are defined in the `Azure.Provisioning.Sql.SqlBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.Sql.SqlBuiltInRole.AzureConnectedSqlServerOnboarding` - `Azure.Provisioning.Sql.SqlBuiltInRole.SqlDBContributor` - `Azure.Provisioning.Sql.SqlBuiltInRole.SqlManagedInstanceContributor` - `Azure.Provisioning.Sql.SqlBuiltInRole.SqlSecurityManager` - `Azure.Provisioning.Sql.SqlBuiltInRole.SqlServerContributor` For more information, see [Aspire Azure SQL integration](/integrations/cloud/azure/azure-sql-database/azure-sql-database-get-started/). ### Azure Storage The provisioning resource type is `Azure.Provisioning.Storage.StorageAccount`, and the built-in roles are defined in the `Azure.Provisioning.Storage.StorageBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.Storage.StorageBuiltInRole.ClassicStorageAccountContributor` - `Azure.Provisioning.Storage.StorageBuiltInRole.ClassicStorageAccountKeyOperatorServiceRole` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageAccountBackupContributor` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageAccountContributor` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageAccountKeyOperatorServiceRole` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageBlobDataContributor` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageBlobDataOwner` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageBlobDataReader` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageBlobDelegator` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataPrivilegedContributor` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataPrivilegedReader` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataSmbShareContributor` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataSmbShareElevatedContributor` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageFileDataSmbShareReader` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageQueueDataContributor` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageQueueDataMessageProcessor` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageQueueDataMessageSender` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageQueueDataReader` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageTableDataContributor` - `Azure.Provisioning.Storage.StorageBuiltInRole.StorageTableDataReader` For more information, see: - [Aspire Azure Blob Storage integration](/integrations/cloud/azure/azure-storage-blobs/azure-storage-blobs-get-started/) - [Aspire Azure Data Tables integration](/integrations/cloud/azure/azure-storage-tables/azure-storage-tables-get-started/) - [Aspire Azure Queue Storage integration](/integrations/cloud/azure/azure-storage-queues/azure-storage-queues-get-started/) ### Azure Web PubSub The provisioning resource type is `Azure.Provisioning.WebPubSub.WebPubSubService`, and the built-in roles are defined in the `Azure.Provisioning.WebPubSub.WebPubSubBuiltInRole` struct. The built-in roles are: - `Azure.Provisioning.WebPubSub.WebPubSubBuiltInRole.WebPubSubContributor` - `Azure.Provisioning.WebPubSub.WebPubSubBuiltInRole.WebPubSubServiceOwner` - `Azure.Provisioning.WebPubSub.WebPubSubBuiltInRole.WebPubSubServiceReader` For more information, see [Aspire Azure Web PubSub integration](/integrations/cloud/azure/azure-web-pubsub/azure-web-pubsub-get-started/). ## See also - [Aspire Azure integrations overview](/integrations/cloud/azure/overview/) - [Customize Azure resources](/integrations/cloud/azure/customize-resources/) - [User-assigned managed identity](/integrations/cloud/azure/user-assigned-identity/) - [Azure role-based access control (RBAC)](https://learn.microsoft.com/azure/role-based-access-control/overview) - [Azure built-in roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles)