Skip to content

Enhance Dapr integration with managed identity support and role assig… #882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Enhance Dapr integration with managed identity support and role assig… #882

wants to merge 5 commits into from

Conversation

FullStackChef
Copy link
Contributor

…nments

Closes #881

This pull request introduces a refactor to how Dapr components are provisioned and authenticated in Azure environments, focusing on managed identity usage and role assignments. The main improvement is the introduction of a dedicated managed identity for Dapr components, which streamlines authentication and enables fine-grained role assignments for resources like Redis and Key Vault. The changes also update infrastructure configuration callbacks to consistently use this managed identity, and introduce new extension methods to simplify role assignment logic.

Managed Identity & Role Assignment Improvements:

  • Introduced a dedicated managed identity (daprManagedIdentity) for Dapr components in the WithDaprComponents extension, ensuring all Dapr components use a single identity for authentication and role assignment. (Fa5acb9cL16R16, src/CommunityToolkit.Aspire.Hosting.Azure.Dapr/AzureContainerAppEnvironmentResourceBuilderExtensions.csR63-L62)
  • Added a new WithRoleAssignments extension method and supporting logic to facilitate assigning Azure roles to resources for Dapr components, leveraging the managed identity. [1] [2]
  • Updated infrastructure configuration callbacks for Redis and Key Vault to accept and use the managed identity for authentication, replacing previous principal ID parameter usage. [1] [2] [3] [4] [5]

Annotation & Publishing Refactor:

  • Refactored AzureDaprComponentPublishingAnnotation to accept the managed identity in its publishing action, enabling consistent identity usage across Dapr component provisioning.
  • Updated Dapr component publishing logic to pass the managed identity to publishing actions and role assignment annotations, ensuring all resource configuration is identity-aware.

Dependency & File Updates:

  • Added missing using directives for new dependencies related to role management and authorization. [1] [2] [3] [4]
  • Added a new settings.json file for the AppHost project, improving project configuration.

These changes collectively improve security, maintainability, and clarity in how Dapr components interact with Azure resources, making it easier to manage permissions and authentication in distributed applications.

PR Checklist

  • Created a feature/dev branch in your fork (vs. submitting directly from a commit on main)
  • Based off latest main branch of toolkit
  • PR doesn't include merge commits (always rebase on top of our main, if needed)
  • [] New integration
    • Docs are written
    • Added description of major feature to project description for NuGet package (4000 total character limit, so don't push entire description over that)
  • Tests for the changes have been added (for bug fixes / features) (if applicable)
  • Contains NO breaking changes
  • Every new API (including internal ones) has full XML docs
  • Code follows all style conventions

Other information

@Copilot Copilot AI review requested due to automatic review settings October 1, 2025 20:50
Copilot
Copilot AI reviewed Oct 1, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request refactors Dapr component provisioning in Azure environments to use a dedicated managed identity for authentication and role assignments. The enhancement introduces centralized identity management for Dapr components, replacing scattered principal ID parameter usage with a unified approach that enables fine-grained role assignments for Azure resources like Redis and Key Vault.

Key changes:

  • Introduced a dedicated managed identity for all Dapr components with automatic role assignment infrastructure
  • Updated Dapr component infrastructure callbacks to accept and use the managed identity instead of principal ID parameters
  • Added new extension methods for role assignment management with built-in Azure roles

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
AzureContainerAppEnvironmentResourceBuilderExtensions.cs Adds dedicated managed identity creation and role assignment infrastructure for Dapr components
AzureDaprComponentPublishingAnnotation.cs Updates publishing annotation to accept managed identity parameter
AzureDaprHostingExtensions.cs Adds new role assignment extension methods and helper functions
AzureKeyVaultDaprHostingExtensions.cs Updates Key Vault configuration to use managed identity instead of principal ID parameter
AzureRedisCacheDaprHostingExtensions.cs Updates Redis configuration to use managed identity and adds role assignments
Program.cs Adds Redis reference to service configuration
settings.json Adds new project configuration file

FullStackChef and others added 2 commits October 2, 2025 09:53
@FullStackChef
Copy link
Contributor Author

Not ready for merging

@FullStackChef
Refactor Azure Redis integration for Dapr components
d6f0cb1 
Updated namespaces and resource models to use `CdkRedisResource`
and `RedisResource` instead of `AzureRedisResource` and
`RedisBuiltInRole`. Introduced managed identity authentication
logic with dynamic `RedisCacheAccessPolicyAssignment` creation
for "Data Contributor" access. Commented out legacy role
assignment code to align with the new approach.

Refactored Redis resource handling to support the updated
resource model. Enhanced metadata handling for `state.redis`
components, ensuring proper configuration of `actorStateStore`.
Maintained infrastructure output logic for Redis connection
strings, now operating on the new resource type.
@FullStackChef
Refactor Redis access policy assignment logic
1277861 
Updated the `ConfigureForManagedIdentityAuthentication` method to use `BicepIdentifier` for identifying existing `RedisCacheAccessPolicyAssignment` resources instead of the `Name` property. Introduced `policyBicepIdentifier` for consistent resource identification and dynamically generated the `Name` property using `BicepFunction.CreateGuid`. These changes enhance clarity and ensure consistency in resource management.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@WhitWaldo WhitWaldo Awaiting requested review from WhitWaldo WhitWaldo is a code owner

@paule96 paule96 Awaiting requested review from paule96 paule96 is a code owner

@davidfowl davidfowl Awaiting requested review from davidfowl

@aaronpowell aaronpowell Awaiting requested review from aaronpowell

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dapr components rely on container app environment managed identity
1 participant
@FullStackChef