Role-Based Access to Azure Machine Learning Workspaces
PythonCreating and managing Azure Machine Learning workspaces can be done programmatically with infrastructure as code tools like Pulumi. In this case, we'll be defining role-based access to an Azure Machine Learning workspace. Role-based access control (RBAC) is a way to manage who has access to Azure resources and what they can do with those resources.
In Azure, RBAC is achieved through the definition of roles and the assignment of these roles to users, groups, or service principals on particular scopes like subscriptions, resource groups, or individual resources. A Machine Learning workspace is an Azure resource that benefits from RBAC to control access to the machine learning environment.
In the Pulumi code below, I'll show you how to create a new Azure Machine Learning workspace and set up RBAC for it. We'll be using the Azure Native provider package (
azure-native), which is an interface to Azure Resource Manager.Here's what we'll do:
- Import the necessary modules from the Pulumi Azure Native provider.
- Create a resource group to contain our Azure Machine Learning workspace.
- Define the Machine Learning workspace itself.
- Set up role assignments to control access to this workspace.
Note that in order to run this code, you must have the Pulumi CLI tool installed and be logged into your Azure account with
az login.import pulumi import pulumi_azure_native as azure_native # Step 1: Create a new resource group for our Machine Learning workspace. resource_group = azure_native.resources.ResourceGroup('my-ml-resource-group') # Step 2: Define the Azure Machine Learning workspace. # We’ll need to define certain properties such as the name, location, and SKU details. ml_workspace = azure_native.machinelearningservices.Workspace('my-ml-workspace', resource_group_name=resource_group.name, location=resource_group.location, sku=azure_native.machinelearningservices.SkuArgs( name='Basic', # Sku name determines the tier and capabilities of the workspace ), # The identity block specifies the type of managed identity used for the workspace. identity=azure_native.machinelearningservices.IdentityArgs( type="SystemAssigned", ), tags={ 'Environment': 'Development', # You can set tags as needed } ) # Step 3: Define a role assignment for the workspace. # RBAC is implemented through role assignments; in this case, we'll use the # `Contributor` role as an example. A role assignment requires a principal (user/service principal), # which isn’t defined here for security purposes. role_assignment = azure_native.authorization.RoleAssignment('my-ml-workspace-contributor-role-assignment', scope=ml_workspace.id, # The scope is the resource to which access is being granted. role_definition_id=f'/subscriptions/{pulumi.config.get("azure:subscriptionId")}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c', # The role definition ID for Contributor role. principal_id='[Enter the principal ID here]', # Replace with the principal (user/service principal) ID. ) # Export the ID of the resource group and workspace. This might be useful for referencing in other deployments. pulumi.export('resource_group_id', resource_group.id) pulumi.export('workspace_id', ml_workspace.id)Remember to replace
'[Enter the principal ID here]'with the actual principal ID of the user, group, or service principal you'd like to assign theContributorrole to.Each resource we defined is a building block provided by Pulumi which maps to Azure resources. The key points are the interdependencies (such as the workspace referring to the resource group name) and the
RoleAssignmentwhich applies an RBAC role to that workspace.By running this Pulumi program with
pulumi up, it will provision the Azure resources following the definitions in the code above. The exported values can be used to fetch the IDs of created resources, which can be handy for cross-referencing in other parts of your Azure setup.