Skip to content

Reduce default KeyVault role #8351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 27, 2025
Merged

Reduce default KeyVault role #8351

merged 1 commit into from
Mar 27, 2025

Conversation

@eerhardt
Copy link
Member

@eerhardt eerhardt commented Mar 27, 2025
edited
Loading

Description

KeyVaultAdministrator is too high of a priviledge role to use by default in applications. By default apps should not need to manage key vault settings, but instead just be able to read secrets. So instead, by default apps will get KeyVaultSecretsUser role and if an application needs a higher role, it can be configured easily by using WithRoleAssignments.

Fix #8218

Checklist

@eerhardt
Reduce default KeyVault role
341d6ad 
KeyVaultAdministrator is too high of a priviledge role to use by default in applications. By default apps should need to manage key vault settings, but instead just be able to read secrets. So instead, by default apps will get KeyVaultSecretsUser role and if an application needs a higher role, it can be configured easily by using WithRoleAssignments.

Fix dotnet#8218
Copilot AI review requested due to automatic review settings March 27, 2025 15:19
Copilot AI reviewed Mar 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR aims to lower the default KeyVault role for applications from KeyVaultAdministrator to KeyVaultSecretsUser to reduce privilege levels.

  • Updated test resource definitions in AzureBicepResourceTests.cs to assign the KeyVaultSecretsUser role.
  • Modified default role assignment in AzureKeyVaultResourceExtensions.cs to use KeyVaultSecretsUser by default.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
tests/Aspire.Hosting.Azure.Tests/AzureBicepResourceTests.cs Changed role assignments from KeyVaultAdministrator to KeyVaultSecretsUser to match reduced privilege requirements
src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResourceExtensions.cs Updated default role in the role assignment method to use KeyVaultSecretsUser

@github-actions github-actions bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Mar 27, 2025
@eerhardt eerhardt added area-integrations Issues pertaining to Aspire Integrations packages azure Issues associated specifically with scenarios tied to using Azure azure-keyvault and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Mar 27, 2025
@eerhardt eerhardt mentioned this pull request Mar 27, 2025
Closed
3 tasks
@eerhardt eerhardt merged commit 053bb02 into dotnet:main Mar 27, 2025
167 checks passed
@eerhardt eerhardt deleted the KeyVaultAdmin branch March 27, 2025 19:05
@github-actions github-actions bot locked and limited conversation to collaborators Apr 27, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@davidfowl davidfowl davidfowl approved these changes

@captainsafia captainsafia captainsafia approved these changes

Assignees

No one assigned

Labels

area-integrations Issues pertaining to Aspire Integrations packages azure Issues associated specifically with scenarios tied to using Azure azure-keyvault

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make the default role for KeyVault references to Key Vault Secrets User

3 participants

@eerhardt @davidfowl @captainsafia