User-assigned managed identity
Questi contenuti non sono ancora disponibili nella tua lingua.
This article is the reference for the Aspire Azure user-assigned managed identity (UMI) support. It enumerates the AppHost APIs — with examples for both AppHost.cs and apphost.ts — that you use to add, reference, and assign roles to user-assigned managed identities in your AppHost project.
A user-assigned managed identity is a standalone Azure resource that you assign to one or more Azure service resources, giving you explicit control over identity management and resource access.
Add a user-assigned managed identity
Section titled “Add a user-assigned managed identity”To create a new user-assigned managed identity, use the AddAzureUserAssignedIdentity (or addAzureUserAssignedIdentity) API:
var builder = DistributedApplication.CreateBuilder(args);
var sharedMi = builder.AddAzureUserAssignedIdentity("custom-umi");
// After adding all resources, run the app...builder.Build().Run();import { createBuilder } from './.modules/aspire.js';
const builder = await createBuilder();
const sharedMi = await builder.addAzureUserAssignedIdentity("custom-umi");
// After adding all resources, run the app...await builder.build().run();The preceding code creates a new managed identity named "custom-umi" that you can use with other resources in your application.
Reference an existing managed identity
Section titled “Reference an existing managed identity”If you already have a managed identity, reference it using the PublishAsExisting (or publishAsExisting) method. This is useful when you want to use an identity created outside of your Aspire project:
var builder = DistributedApplication.CreateBuilder(args);
var miName = builder.AddParameter("miName");var miResourceGroup = builder.AddParameter("miResourceGroup");
var sharedMi = builder.AddAzureUserAssignedIdentity("custom-umi") .PublishAsExisting(miName, miResourceGroup);
// After adding all resources, run the app...builder.Build().Run();import { createBuilder } from './.modules/aspire.js';
const builder = await createBuilder();
const miName = await builder.addParameter("miName");const miResourceGroup = await builder.addParameter("miResourceGroup");
const sharedMi = await builder.addAzureUserAssignedIdentity("custom-umi");await sharedMi.publishAsExisting(miName, miResourceGroup);
// After adding all resources, run the app...await builder.build().run();In the preceding example, parameters supply the name and resource group of the existing identity so the AppHost references it rather than creating a new one.
Assign roles to managed identities
Section titled “Assign roles to managed identities”Grant Azure roles to your managed identity using the WithRoleAssignments (or withRoleAssignments) API, giving the identity access to other Azure resources:
var builder = DistributedApplication.CreateBuilder(args);
var sharedMi = builder.AddAzureUserAssignedIdentity("custom-umi");
builder.AddAzureKeyVault("secrets") .WithRoleAssignments(sharedMi, KeyVaultBuiltInRole.KeyVaultSecretsUser);
// After adding all resources, run the app...builder.Build().Run();import { createBuilder, AzureKeyVaultRole } from './.modules/aspire.js';
const builder = await createBuilder();
const sharedMi = await builder.addAzureUserAssignedIdentity("custom-umi");
const secrets = await builder.addAzureKeyVault("secrets");await sharedMi.withRoleAssignments(secrets, [AzureKeyVaultRole.KeyVaultSecretsUser]);
// After adding all resources, run the app...await builder.build().run();In the preceding example, the managed identity is granted the KeyVaultSecretsUser role on the Key Vault resource.