Skip to content

Stop ViteApps (build only containers) from getting Azure managed identities and roles #14474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eerhardt merged 2 commits into from
Feb 12, 2026
+45 −18
Merged

Stop ViteApps (build only containers) from getting Azure managed identities and roles #14474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
87860a9
Stop ViteApps (build only containers) from getting Azure managed iden…
eerhardt Feb 12, 2026
54796b2
Update src/Aspire.Hosting.Azure/AzureResourcePreparer.cs
eerhardt Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 5 additions & 18 deletions src/Aspire.Hosting.Azure/AzureResourcePreparer.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,19 +125,13 @@ private async Task BuildRoleAssignmentAnnotations(DistributedApplicationModel ap
// - if in PublishMode
// - if a compute resource has RoleAssignmentAnnotations, use them
// - if the resource doesn't, copy the DefaultRoleAssignments to RoleAssignmentAnnotations to apply the defaults
var resourceSnapshot = appModel.Resources.ToArray(); // avoid modifying the collection while iterating
var resourceSnapshot = appModel.GetComputeResources()
.Concat(appModel.Resources
.OfType<AzureUserAssignedIdentityResource>()
.Where(r => !r.IsExcludedFromPublish()))
.ToArray(); // avoid modifying the collection while iterating
foreach (var resource in resourceSnapshot)
{
if (resource.IsExcludedFromPublish())
{
continue;
}

if (!IsResourceValidForRoleAssignments(resource))
{
continue;
}

var azureReferences = await GetAzureReferences(resource, cancellationToken).ConfigureAwait(false);

var azureReferencesWithRoleAssignments =
Expand Down Expand Up @@ -231,13 +225,6 @@ private async Task BuildRoleAssignmentAnnotations(DistributedApplicationModel ap
{
CreateGlobalRoleAssignments(appModel, globalRoleAssignments);
}

// We can derive role assignments for compute resources and declared
// AzureUserAssignedIdentityResources
static bool IsResourceValidForRoleAssignments(IResource resource)
{
return resource.IsContainer() || resource is ProjectResource || resource is AzureUserAssignedIdentityResource;
}
}

private static Dictionary<AzureProvisioningResource, IEnumerable<RoleDefinition>> GetAllRoleAssignments(IResource resource)
Expand Down
1 change: 1 addition & 0 deletions tests/Aspire.Hosting.Azure.Tests/Aspire.Hosting.Azure.Tests.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
</PropertyGroup>

<ItemGroup>
<ProjectReference Include="..\..\src\Aspire.Hosting.JavaScript\Aspire.Hosting.JavaScript.csproj" />
<ProjectReference Include="..\..\src\Aspire.Hosting.Azure.AIFoundry\Aspire.Hosting.Azure.AIFoundry.csproj" />
<ProjectReference Include="..\..\src\Aspire.Hosting.Azure.AppConfiguration\Aspire.Hosting.Azure.AppConfiguration.csproj" />
<ProjectReference Include="..\..\src\Aspire.Hosting.Azure.AppService\Aspire.Hosting.Azure.AppService.csproj" />
Expand Down
39 changes: 39 additions & 0 deletions tests/Aspire.Hosting.Azure.Tests/AzureResourcePreparerTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,45 @@ public async Task AppliesRoleAssignmentsOnlyToDirectReferences()
n => Assert.Equal("api-roles-storage", n));
}

[Fact]
public async Task ViteAppDoesNotGetManagedIdentity()
{
using var builder = TestDistributedApplicationBuilder.Create(DistributedApplicationOperation.Publish);
builder.AddAzureContainerAppEnvironment("env");

var storage = builder.AddAzureStorage("storage");
var blobs = storage.AddBlobs("blobs");

var api = builder.AddProject<Project>("api", launchProfileName: null)
.WithHttpEndpoint()
.WithReference(blobs)
.WaitFor(blobs);

var frontend = builder.AddViteApp("frontend", "./frontend")
.WithReference(api)
.WithReference(blobs)
.WaitFor(blobs);

using var app = builder.Build();
var model = app.Services.GetRequiredService<DistributedApplicationModel>();
await ExecuteBeforeStartHooksAsync(app, default);

Assert.Collection(model.Resources.Select(r => r.Name),
n => Assert.StartsWith("azure", n),
n => Assert.Equal("env-acr", n),
n => Assert.Equal("env", n),
n => Assert.Equal("storage", n),
n => Assert.Equal("blobs", n),
n => Assert.Equal("api", n),
n => Assert.Equal("frontend", n),
n => Assert.Equal("api-identity", n),
n => Assert.Equal("api-roles-storage", n));

// The ViteApp should NOT get a managed identity since it is a BuildOnlyContainer resource,
// even though it references the storage account. Only the API should get a managed identity.
Assert.DoesNotContain(model.Resources, r => r.Name == "frontend-identity");
}

private sealed class Project : IProjectMetadata
{
public string ProjectPath => "project";
Expand Down
Loading