Azure Container Apps managed identity changes

2025-04-10

Starting with .NET Aspire 9.2, each Azure Container App created using 📦 Aspire.Hosting.Azure.AppContainers NuGet package now has its own Azure Managed Identity. This change enables more granular role assignments for Azure resources but might require updates to applications that rely on shared managed identities.

Version introduced

.NET Aspire 9.2

Previous behavior

All ContainerApps shared a single Azure Managed Identity. This allowed applications to interact with Azure resources using a common identity.

New behavior

Each ContainerApp now has its own unique Azure Managed Identity. This enables applications to have distinct role assignments for different Azure resources.

Type of breaking change

This is a behavioral change.

Reason for change

This change was introduced to support scenarios where applications require different role assignments for different Azure resources. By assigning a unique managed identity to each ContainerApp, applications can now operate with more granular access control.

Recommended action

The recommended action is to update your Azure resources to use the new managed identities. This may include:

Azure SQL Server

Grant access to all Azure Managed Identities that need to interact with the database. Follow the guidance in Configure and manage Azure AD authentication with Azure SQL.

Azure PostgreSQL

Grant necessary privileges to all Azure Managed Identities that need to interact with the database. Use the PostgreSQL documentation on granting privileges as a reference. For example:

GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO <managed_identity_user>;

Affected APIs

Aspire.Hosting.AzureContainerAppExtensions.AddAzureContainerAppsInfrastructure
Aspire.Hosting.AzureContainerAppProjectExtensions.PublishAsAzureContainerApp
Aspire.Hosting.AzureContainerAppExecutableExtensions.PublishAsAzureContainerApp
Aspire.Hosting.AzureContainerAppContainerExtensions.PublishAsAzureContainerApp

Share via