From 341d6ad95a47fafe528194f0f2fd0bd2e3f45b40 Mon Sep 17 00:00:00 2001
From: Eric Erhardt <eric.erhardt@microsoft.com>
Date: Thu, 27 Mar 2025 09:45:04 -0500
Subject: [PATCH] Reduce default KeyVault role

KeyVaultAdministrator is too high of a priviledge role to use by default in applications. By default apps should need to manage key vault settings, but instead just be able to read secrets. So instead, by default apps will get KeyVaultSecretsUser role and if an application needs a higher role, it can be configured easily by using WithRoleAssignments.

Fix #8218
---
 .../AzureKeyVaultResourceExtensions.cs                      | 2 +-
 tests/Aspire.Hosting.Azure.Tests/AzureBicepResourceTests.cs | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResourceExtensions.cs b/src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResourceExtensions.cs
index 8802b2372bc..4c154eb0d59 100644
--- a/src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResourceExtensions.cs
+++ b/src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResourceExtensions.cs
@@ -71,7 +71,7 @@ public static IResourceBuilder<AzureKeyVaultResource> AddAzureKeyVault(this IDis
         var resource = new AzureKeyVaultResource(name, configureInfrastructure);
         return builder.AddResource(resource)
             .WithDefaultRoleAssignments(KeyVaultBuiltInRole.GetBuiltInRoleName,
-                KeyVaultBuiltInRole.KeyVaultAdministrator);
+                KeyVaultBuiltInRole.KeyVaultSecretsUser);
     }
 
     /// <summary>
diff --git a/tests/Aspire.Hosting.Azure.Tests/AzureBicepResourceTests.cs b/tests/Aspire.Hosting.Azure.Tests/AzureBicepResourceTests.cs
index 913eee6d585..07c69f441cb 100644
--- a/tests/Aspire.Hosting.Azure.Tests/AzureBicepResourceTests.cs
+++ b/tests/Aspire.Hosting.Azure.Tests/AzureBicepResourceTests.cs
@@ -1361,11 +1361,11 @@ param principalId string
               name: mykv_outputs_name
             }
 
-            resource mykv_KeyVaultAdministrator 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-              name: guid(mykv.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483'))
+            resource mykv_KeyVaultSecretsUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+              name: guid(mykv.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6'))
               properties: {
                 principalId: principalId
-                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')
+                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
                 principalType: principalType
               }
               scope: mykv