Skip to content

[Breaking change]: AzureContainerApps Infrastructure creates managed identity per container app #2914

New issue
New issue
Closed
Task
#2870
Closed
[Breaking change]: AzureContainerApps Infrastructure creates managed identity per container app#2914
Task
#2870
Assignees
IEvangelist
Labels
📌 seQUESTeredIdentifies that an issue has been imported into Quest.Pri1High priority, do before Pri2 and Pri3area-docsdoc-ideaIndicates issues that are suggestions for new topics [org][type][category]⛓️‍💥 breaking-changeIssues or PRs tracking breaking changes.
Milestone
9.2
@eerhardt

Description

@eerhardt
eerhardt
opened on Apr 1, 2025

Description

When using Aspire.Hosting.Azure.AppContainers to customize a ContainerApp (project, executable, or container), each container app now has its own managed identity.

This can cause problems with some Azure resources.

Azure SQL Server

.NET Aspire's Azure SQL Server Hosting integration grants access to the application by adding the application as a SQL Admin. However, Azure SQL Server only supports a single admin, so the last deployed application will be granted administrator and other applications won't.

See Using multiple apps to talk to Azure SQL Server doesn't work with managed identites (dotnet/aspire#8389) for more information.

Azure PostgreSQL

The user who creates a PostgreSQL database is automatically the owner of the database. Any other user, including administrators, won't have INSERT, UPDATE, DELETE rights to tables in a database created by another user. If your application has a separate Container App that does EntityFramework database migration, the user that application runs as will be the db owner, and another other ContainerApp won't have edit permissions on the database unless explicitly granted.

Version

.NET Aspire 9.2

Previous behavior

All ContainerApps were running with the same shared Azure Managed Identity.

New behavior

Each ContainerApp will have its own Azure Managed Identity.

Type of breaking change

  • Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
  • Behavioral change: Existing binaries might behave differently at run time.

Reason for change

In order to support applications with different role assignments to different Azure resources, each ContainerApp runs as a different managed identity.

Recommended action

Azure SQL Server

Create users and assign roles to all Azure Managed Identities that need to interact with the database following https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure

Azure PostgreSQL

Run a script to grant necessary privileges to all Azure Managed Idnetities that need to interact with the database following https://www.postgresql.org/docs/current/ddl-priv.html.

Affected APIs

  • Aspire.Hosting.AzureContainerAppExtensions.AddAzureContainerAppsInfrastructure
  • Aspire.Hosting.AzureContainerAppProjectExtensions.PublishAsAzureContainerApp
  • Aspire.Hosting.AzureContainerAppExecutableExtensions.PublishAsAzureContainerApp
  • Aspire.Hosting.AzureContainerAppContainerExtensions.PublishAsAzureContainerApp

Associated WorkItem - 417079

Metadata

Metadata

Assignees

Labels

📌 seQUESTeredIdentifies that an issue has been imported into Quest.Pri1High priority, do before Pri2 and Pri3area-docsdoc-ideaIndicates issues that are suggestions for new topics [org][type][category]⛓️‍💥 breaking-changeIssues or PRs tracking breaking changes.

Type

Task

Projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions