Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In Aspire 9.4, the default role assigned to applications using AddAzureOpenAI was changed from CognitiveServicesOpenAIContributor to CognitiveServicesOpenAIUser. This change improves security by assigning a lower privilege role by default, ensuring applications only have the permissions necessary for inference tasks.
Version introduced
Aspire 9.4
Previous behavior
Previously, applications referencing an Azure OpenAI account were assigned as the CognitiveServicesOpenAIContributor role by default. This role allowed applications to manage OpenAI deployments, which is a higher privilege than typically required for inference tasks.
New behavior
Applications referencing an Azure OpenAI account are now assigned the CognitiveServicesOpenAIUser role by default. This role provides permissions for inference tasks without allowing management of OpenAI deployments. If higher privileges are required, you can configure the necessary roles using the WithRoleAssignments API.
Example:
using Azure.Provisioning.CognitiveServices;
var openai = builder.AddAzureOpenAI("openai");
builder.AddProject<Projects.ApiService>("api")
.WithRoleAssignments(openai, CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor);
Type of breaking change
This is a behavioral change.
Reason for change
The CognitiveServicesOpenAIContributor role provides excessive privileges for most applications, as managing OpenAI deployments isn't typically required. Assigning the CognitiveServicesOpenAIUser role by default enhances security by limiting permissions to inference tasks. For applications requiring higher privileges, roles can be explicitly configured using the WithRoleAssignments API.
For more information, see GitHub PR #10293.
Recommended action
If your application requires higher privileges than the CognitiveServicesOpenAIUser role, explicitly configure the necessary roles using the WithRoleAssignments API. See the New behavior section for an example of how to do this.
Affected APIs
Aspire.Hosting.AzureOpenAIExtensions.AddAzureOpenAI
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
