Skip to content

[Breaking change]: AddAzureSqlServer assigns a dedicated user assigned managed identity as the administrator #3386

New issue
New issue
Closed
Task
#3368
Closed
[Breaking change]: AddAzureSqlServer assigns a dedicated user assigned managed identity as the administrator#3386
Task
#3368
Assignees
IEvangelist
Labels
📌 seQUESTeredIdentifies that an issue has been imported into Quest.Pri1High priority, do before Pri2 and Pri3area-docsdoc-ideaIndicates issues that are suggestions for new topics [org][type][category]⛓️‍💥 breaking-changeIssues or PRs tracking breaking changes.
Milestone
9.3
@sebastienros

Description

@sebastienros
sebastienros
opened on May 9, 2025

Description

When using Aspire.Hosting.Azure.AppContainers to customize a ContainerApp (project, executable, or container), each container app has its own managed identity. In Aspire 9.2 these managed where assigned as the administrator. However using two app containers would result in the second one replacing the first, hence losing access.

In Aspire 9.3 each deployed Azure Sql Server instance gets a dedicated user assigned managed identity as its admin.
When using AppContainers to access these Azure Sql Server instances, their user assigned managed identities (feature introduced in 9.2) will be granted the db_owner role during deployment.

If this model doesn't suit the users' needs, then the AsExisting() method can be used on the Azure Sql Server resource such that no such operation is executed. Existing instances are not reconfigured.

Furthermore, if an application is not deployed as an app container, then the current Entra ID user account is also added as a db_owner in the database, allowing the user to use data management tools to configure it.

Version

.NET Aspire 9.3

Previous behavior

dotnet/aspire#8389

New behavior

Each Azure Sql Server instance is assigned a dedicated user managed identity administrator account.
Each App Container or local user is assigned the db_owner role as a user account.

Type of breaking change

  • Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
  • Behavioral change: Existing binaries might behave differently at run time.

Reason for change

Fix limitation/bug when using multiple accounts/identity for a database.

Recommended action

n/a

Affected APIs

Aspire.Hosting.AzureContainerAppExtensions.AddAzureContainerAppsInfrastructure
Aspire.Hosting.AzureContainerAppProjectExtensions.PublishAsAzureContainerApp
Aspire.Hosting.AzureContainerAppExecutableExtensions.PublishAsAzureContainerApp
Aspire.Hosting.AzureContainerAppContainerExtensions.PublishAsAzureContainerApp
Aspire.Hosting.SqlServerBuilderExtensions.AddSqlServer

Associated WorkItem - 431124

Metadata

Metadata

Assignees

Labels

📌 seQUESTeredIdentifies that an issue has been imported into Quest.Pri1High priority, do before Pri2 and Pri3area-docsdoc-ideaIndicates issues that are suggestions for new topics [org][type][category]⛓️‍💥 breaking-changeIssues or PRs tracking breaking changes.

Type

Task

Projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions