[Breaking change]: AddAzureOpenAI defaults to CognitiveServicesOpenAIUser instead of CognitiveServicesOpenAIContributor

[eerhardt]

Description

CognitiveServicesOpenAIContributor is too high of a priviledge role to use by default in applications. By default apps should not need to manage deployments. So instead, by default apps will get CognitiveServicesOpenAIUser role and if an application needs a higher role, it can be configured easily by using WithRoleAssignments.

See dotnet/aspire#10293

Version

.NET Aspire 9.4

Previous behavior

Previously applications were granted the CognitiveServicesOpenAIContributor role when referencing an Azure OpenAI account.

New behavior

Now applications will be granted the CognitiveServicesOpenAIUser role when referencing an Azure OpenAI account.

Type of breaking change

• Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
• Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
• Behavioral change: Existing binaries might behave differently at run time.

Reason for change

CognitiveServicesOpenAIContributor is too high of a priviledge role to use by default in applications. By default apps should not need to manage OpenAI deployments, but instead just be able to do inference. It is more secure to use a lower role by default.

Recommended action

If an application needs higher privileges than CognitiveServicesOpenAIUser , you can specify the roles necessary for the application by using the WithRoleAssignments API:

using Azure.Provisioning.CognitiveServices;

var openai = builder.AddAzureOpenAI("openai");

builder.AddProject<Projects.ApiService>("api")
       .WithRoleAssignments(openai, CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor);

Affected APIs

Aspire.Hosting.AzureOpenAIExtensions.AddAzureOpenAI