KeyVault default role assignment changing from KeyVaultAdministrator to KeyVaultSecretsUser

In .NET Aspire 9.2, the default role assigned to applications referencing Azure KeyVault has changed from KeyVaultAdministrator to KeyVaultSecretsUser. This change enhances security by limiting default privileges to only reading secrets. Applications requiring higher privileges must explicitly configure them.

Version introduced

.NET Aspire 9.2

Previous behavior

Previously, applications referencing Azure KeyVault were automatically granted the KeyVaultAdministrator role, which allowed full management of KeyVault settings.

New behavior

Applications referencing Azure KeyVault are now granted the KeyVaultSecretsUser role by default, which restricts access to reading secrets. If higher privileges are required, they can be configured using the WithRoleAssignments API.

Example:

using Azure.Provisioning.KeyVault;

var kv = builder.AddAzureKeyVault("kv");

builder.AddProject<Projects.ApiService>("api")
       .WithRoleAssignments(kv, KeyVaultBuiltInRole.KeyVaultContributor);

Type of breaking change

This is a behavioral change.

Reason for change

The KeyVaultAdministrator role provides excessive privileges for most applications, as they typically only need to read secrets. Assigning the KeyVaultSecretsUser role by default improves security by adhering to the principle of least privilege.

Recommended action

If your application requires higher privileges than the KeyVaultSecretsUser role, explicitly configure the necessary roles using the WithRoleAssignments API. For example:

using Azure.Provisioning.KeyVault;

var kv = builder.AddAzureKeyVault("kv");

builder.AddProject<Projects.ApiService>("api")
       .WithRoleAssignments(kv, KeyVaultBuiltInRole.KeyVaultContributor);

Affected APIs

• AddAzureKeyVault