Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In Aspire 9.4, the BicepSecretOutputReference type, the GetSecretOutput(...) helper method, and the overload of WithEnvironment that accepted a BicepSecretOutputReference are now obsolete. Automatic Key Vault generation and secret wiring logic were removed. Projects that relied on these APIs for automatic secret management must migrate to explicit Key Vault resource modeling and secret references.
Version introduced
Aspire 9.4
Previous behavior
Previously, you could use GetSecretOutput(...) to obtain a BicepSecretOutputReference from a resource, and pass it to WithEnvironment. Aspire would automatically generate a Key Vault and wire up the secret URI for you.
Example:
var db = builder.AddAzureCosmosDB("mydb").WithAccessKeyAuthentication();
builder.AddContainer("api", "image")
.WithEnvironment("ConnStr", db.GetSecretOutput("connectionString"));
New behavior
Now, Aspire no longer creates Key Vaults or secrets automatically. You must explicitly create or reference a Key Vault and use an explicit secret reference.
Example:
var kv = builder.AddAzureKeyVault("kv");
builder.AddContainer("api", "image")
.WithEnvironment("ConnStr", kv.GetSecret("connectionString"));
GetSecretOutput(...) is now obsolete and will be removed in a future release. The overload of WithEnvironment that accepted a BicepSecretOutputReference is also obsolete.
Type of breaking change
This change is a binary incompatible and source incompatible change.
Reason for change
Implicit Key Vault creation made deployments opaque and fragile. Removing the secret-output shortcut aligns Aspire with its explicit-resource philosophy, giving you full control over secret management and simplifying infrastructure generation. For more information, see the GitHub issue.
Recommended action
Create or reference a Key Vault in your Aspire graph:
var kv = builder.AddAzureKeyVault("kv");Replace
GetSecretOutputusage with an explicit secret reference:builder.AddContainer("api", "image") .WithEnvironment("ConnStr", kv.GetSecret("connectionString"));Remove obsolete
WithEnvironment(string, BicepSecretOutputReference)overloads and switch toWithEnvironment(string, IAzureKeyVaultSecretReference)(or another appropriate overload).
Aspire's resources with support for keys were updated to handle this new change.
Affected APIs
- Aspire.Hosting.Azure.BicepSecretOutputReference
- Aspire.Hosting.AzureBicepResourceExtensions.GetSecretOutput(IResourceBuilder<AzureBicepResource>, String)
- Aspire.Hosting.AzureBicepResourceExtensions.WithEnvironment<T>(IResourceBuilder<T>, String, BicepSecretOutputReference)
- Automatic Key Vault generation and secret wiring logic (removed)
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
