|
| 1 | +--- |
| 2 | +title: User-assigned managed identities |
| 3 | +description: Learn how to use user-assigned managed identities in your .NET Aspire applications to securely access Azure resources. |
| 4 | +ms.date: 05/08/2025 |
| 5 | +--- |
| 6 | + |
| 7 | +# User-assigned managed identities in .NET Aspire |
| 8 | + |
| 9 | +In this article, you learn how to add or reference user-assigned managed identities (UMIs). You can add UMIs in your .NET Aspire applications to securely access Azure resources. A UMI is a standalone Azure resource that you can assign to one or more service resources. UMIs give you more control over identity management and resource access. |
| 10 | + |
| 11 | +## Add a user-assigned managed identity |
| 12 | + |
| 13 | +To create a new user-assigned managed identity, use the `AddAzureUserAssignedIdentity` API in your distributed application builder: |
| 14 | + |
| 15 | +```csharp |
| 16 | +var builder = DistributedApplication.CreateBuilder(args); |
| 17 | + |
| 18 | +var sharedMi = builder.AddAzureUserAssignedIdentity("custom-umi"); |
| 19 | + |
| 20 | +// After adding all resources, run the app... |
| 21 | +
|
| 22 | +builder.Build().Run(); |
| 23 | +``` |
| 24 | + |
| 25 | +The preceding code creates a new managed identity named "custom-umi" that you can use with other resources in your application. |
| 26 | + |
| 27 | +## Reference an existing managed identity |
| 28 | + |
| 29 | +If you already have a managed identity, you can reference it using the <xref:Aspire.Hosting.ExistingAzureResourceExtensions.PublishAsExisting*> method. This is useful when you want to use an identity that was created outside of your .NET Aspire project. |
| 30 | + |
| 31 | +```csharp |
| 32 | +var builder = DistributedApplication.CreateBuilder(args); |
| 33 | + |
| 34 | +var miName = builder.AddParameter("miName"); |
| 35 | +var miResourceGroup = builder.AddParameter("miResourceGroup"); |
| 36 | + |
| 37 | +var sharedMi = builder.AddAzureUserAssignedIdentity("custom-umi") |
| 38 | + .PublishAsExisting(miName, miResourceGroup); |
| 39 | + |
| 40 | +// After adding all resources, run the app... |
| 41 | +
|
| 42 | +builder.Build().Run(); |
| 43 | +``` |
| 44 | + |
| 45 | +In the preceding example, you use parameters to provide the name and resource group of the existing identity. This allows you to reference the managed identity without creating a new one. |
| 46 | + |
| 47 | +## Assign roles to managed identities |
| 48 | + |
| 49 | +You can grant Azure roles to your managed identity using the WithRoleAssignments API. This lets your identity access other Azure resources, such as Azure Key Vault. |
| 50 | + |
| 51 | +```csharp |
| 52 | +var builder = DistributedApplication.CreateBuilder(args); |
| 53 | + |
| 54 | +var sharedMi = builder.AddAzureUserAssignedIdentity("custom-umi"); |
| 55 | + |
| 56 | +builder.AddAzureKeyVault("secrets") |
| 57 | + .WithRoleAssignments(sharedMi, BuiltInRole.Reader); |
| 58 | + |
| 59 | +// After adding all resources, run the app... |
| 60 | +
|
| 61 | +builder.Build().Run(); |
| 62 | +``` |
| 63 | + |
| 64 | +In this example, you give the Reader role to the managed identity for the Key Vault resource. For more information about role assignments, see [Manage Azure role assignments](role-assignments.md). |
| 65 | + |
| 66 | +## See also |
| 67 | + |
| 68 | +- [Azure managed identities overview](/azure/active-directory/managed-identities-azure-resources/overview) |
| 69 | +- [Azure Key Vault](/azure/key-vault/general/basic-concepts) |
| 70 | +- [Manage Azure role assignments](role-assignments.md) |
| 71 | +- [.NET Aspire Azure integrations overview](integrations-overview.md) |
0 commit comments