Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you learn how to add or reference user-assigned managed identities (UMIs). You can add UMIs in your .NET Aspire applications to securely access Azure resources. A UMI is a standalone Azure resource that you can assign to one or more service resources. UMIs give you more control over identity management and resource access.
Add a user-assigned managed identity
To create a new user-assigned managed identity, use the AddAzureUserAssignedIdentity API in your distributed application builder:
var builder = DistributedApplication.CreateBuilder(args);
var sharedMi = builder.AddAzureUserAssignedIdentity("custom-umi");
// After adding all resources, run the app...
builder.Build().Run();
The preceding code creates a new managed identity named "custom-umi" that you can use with other resources in your application.
Reference an existing managed identity
If you already have a managed identity, you can reference it using the PublishAsExisting method. This is useful when you want to use an identity that was created outside of your .NET Aspire project.
var builder = DistributedApplication.CreateBuilder(args);
var miName = builder.AddParameter("miName");
var miResourceGroup = builder.AddParameter("miResourceGroup");
var sharedMi = builder.AddAzureUserAssignedIdentity("custom-umi")
.PublishAsExisting(miName, miResourceGroup);
// After adding all resources, run the app...
builder.Build().Run();
In the preceding example, you use parameters to provide the name and resource group of the existing identity. This allows you to reference the managed identity without creating a new one.
Assign roles to managed identities
You can grant Azure roles to your managed identity using the WithRoleAssignments API. This lets your identity access other Azure resources, such as Azure Key Vault.
var builder = DistributedApplication.CreateBuilder(args);
var sharedMi = builder.AddAzureUserAssignedIdentity("custom-umi");
builder.AddAzureKeyVault("secrets")
.WithRoleAssignments(sharedMi, BuiltInRole.Reader);
// After adding all resources, run the app...
builder.Build().Run();
In this example, you give the Reader role to the managed identity for the Key Vault resource. For more information about role assignments, see Manage Azure role assignments.
See also
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
.NET Aspire