Containerized AI Workloads with Managed Azure Identity
PythonTo deploy containerized AI workloads on Azure with a managed identity, you would typically use Azure Container Instances (ACI) for deploying containers without managing servers and Azure Active Directory (Azure AD) for identity management. ACI enables you to run containers directly on Azure without orchestrating them through a container orchestrator like Kubernetes.
Managed Identities for Azure resources provide Azure services with an automatically managed identity in Azure AD. You can use this identity to authenticate to any service that supports Azure AD authentication without having credentials in your code.
Below is an outline of the program we'll construct:
- Set up an Azure Resource Group, which is a logical container for Azure resources.
- Define a Managed Identity for our container, which grants its own identity in Azure AD.
- Deploy a container using Azure Container Instances (ACI), while assigning the managed identity to the container.
- Export any outputs, such as the fully qualified domain name (FQDN) of the container instance, which could be used to access the containerized application.
Here is a Pulumi program written in Python that accomplishes this:
import pulumi import pulumi_azure_native as azure_native # Step 1: Create an Azure Resource Group resource_group = azure_native.resources.ResourceGroup('ai-workloads-rg') # Step 2: Define a Managed Identity for our container application managed_identity = azure_native.managedidentity.UserAssignedIdentity( 'ai-workloads-managed-identity', resource_group_name=resource_group.name ) # Step 3: Deploy an Azure Container Instance with the Managed Identity container_group = azure_native.containerinstance.ContainerGroup( 'ai-workloads-container-group', resource_group_name=resource_group.name, os_type=azure_native.containerinstance.OperatingSystemTypes.LINUX, containers=[{ 'name': 'ai-workload-container', 'image': 'your-ai-application-image', # Replace with your container image 'resources': { 'requests': { 'cpu': 1.0, 'memory_in_gb': 1.5 } }, }], identity={ 'type': azure_native.containerinstance.ResourceIdentityType.USER_ASSIGNED, 'user_assigned_identities': { managed_identity.id: {} }, } ) # Step 4: Export the FQDN of the container instance pulumi.export('container_fqdn', container_group.fqdn)Let's walk through this program:
- We import the necessary modules from the Pulumi SDK for working with Azure.
- We create an Azure Resource Group, which is a necessary step as Azure requires all resources to be associated with a resource group.
- We then create a Managed Identity in Azure, which the container can use to authenticate against Azure services securely.
- Following that, we deploy an Azure Container Instance, specifying:
- The Resource Group it belongs to.
- The type of operating system our container requires.
- The container details such as the name and the container image.
- The resources we want to allocate to the container such as CPU and memory.
- The Managed Identity we earlier created is associated with the container instance in the
identityfield.
- At the end of the program, we export the fully qualified domain name (FQDN) of the container instance to be able to access it once it's up and running.
Remember to replace
'your-ai-application-image'with the Docker image for your AI application. This image should be hosted in a container registry that Azure Container Instances can access. If your container image is in a private registry, you will also need to addimage_registry_credentialsto theContainerGroupto provide the necessary authentication details.To use this program, save it to a file (for example
main.py), install Pulumi, set up the Azure CLI, log in usingaz login, and then runpulumi upto create the resources in Azure.