1. Role Assignments for Controlled Access to Azure Cognitive Services


    When deploying Azure Cognitive Services, securing access to these services is crucial. Azure provides a mechanism for assigning roles, which are sets of permissions that determine what actions a user or application can perform on a given service. In Azure, you can assign roles using Azure Role-Based Access Control (RBAC) at various scopes, including the management group, subscription, resource group, and individual resource level.

    To accomplish this in Pulumi, you would generally use two primary resources:

    1. azuread.ServicePrincipal: This represents the identity that your application or service will use when accessing Azure resources. It must be assigned a role that allows it to interact with Azure Cognitive Services.

    2. azure-native.authorization.RoleAssignment: This assigns a role to a principal (like a Service Principal, User, or Group) for a particular scope. In the context of Azure Cognitive Services, this role assignment could grant the ability to read or manage cognitive services.

    Let's assume you already have an Azure Cognitive Services account created, and you want to assign a role to a service principal so it can access the cognitive services.

    Here's a Pulumi program in Python that performs role assignments to control access to Azure Cognitive Services:

    import pulumi import pulumi_azure_native.authorization as authorization import pulumi_azure_native.cognitiveservices as cognitiveservices import pulumi_azuread as azuread # Create a Service Principal that will access Azure Cognitive Services service_principal = azuread.ServicePrincipal("myCognitiveServicePrincipal") # Create an Azure Cognitive Services Account cognitive_services_account = cognitiveservices.Account("myCognitiveServicesAccount", # Parameters for the cognitive services account like location, resource group name, etc. resource_group_name="myResourceGroup", kind="CognitiveServices", # This kind parameter is specific to the type of account you need sku=cognitiveservices.SkuArgs( name="S0" # An example of a valid SKU for Azure Cognitive Services ), ) # Now, assign a role to the service principal for the cognitive services account. # The example below assigns the "Contributor" role at the scope of the cognitive services account. role_assignment = authorization.RoleAssignment("myCognitiveServicePrincipalRoleAssignment", scope=cognitive_services_account.id, role_definition_id=authorization.RoleDefinition.get(role="Contributor", scope="/subscriptions/<your-subscription-id>").id, principal_id=service_principal.id, ) # Export the primary endpoint of the cognitive service pulumi.export("cognitive_service_endpoint", cognitive_services_account.properties.apply(lambda properties: properties.endpoint))

    In this program:

    • The azuread.ServicePrincipal represents the application identity.
    • The cognitiveservices.Account creates a new Azure Cognitive Services account.
    • The role_definition_id is obtained by fetching the built-in role definition corresponding to the "Contributor" role.
    • An authorization.RoleAssignment is created to assign the "Contributor" role to our service principal at the scope of the Cognitive Service account. (Ensure that you replace <your-subscription-id> with your actual Azure subscription ID).
    • Finally, we export the endpoint of the cognitive services account. This is the endpoint that applications will use to connect to the cognitive services provided.

    Replace "myResourceGroup", "S0", and <your-subscription-id> with the actual values for your resource group, desired SKU, and subscription ID respectively.

    This is a basic example. In a production scenario, you should follow the Principle of Least Privilege (PoLP) and assign only the necessary permissions for your application to function. For instance, if your application only needs to read from the cognitive services, you could assign the "Reader" role instead of "Contributor". To list other roles or create custom roles tailored to your requirements, you can make use of more specific permissions.