Managed Identities for Accessing Azure ML with Enterprise Security

Question

Pulumi · Accepted Answer

Managed identities in Azure are a feature of Azure Active Directory (Azure AD) that provides Azure services with an automatically managed identity in Azure AD. You can use this identity to authenticate to any service that supports Azure AD authentication, including Azure Machine Learning, without needing to embed credentials in your code.

Managed identities come in two forms:
- System-assigned: This type of identity is tied to the lifecycle of a service instance (e.g., an Azure Virtual Machine or Azure Function). When the service instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.
- User-assigned: This is an independent managed identity that can be associated with one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the service instances it's associated with.

To use managed identities with Azure ML and ensure enterprise security, here are the general steps you might need to perform:

1. Enable Managed Identity on the Azure ML service.
2. Assign the necessary permissions to the Managed Identity so that it can access Azure resources.
3. Configure Azure ML to use the Managed Identity for various operations (like accessing Azure Blob Storage).

For the purpose of this example, let's assume we want to create an Azure Machine Learning workspace and configure a user-assigned managed identity with proper role assignments for accessing Azure Blob Storage, which will store our ML experiments and data.

Here is a Pulumi Python program that sets up an Azure ML workspace with a user-assigned managed identity.

```python
import pulumi
import pulumi_azure as azure  # Import the Pulumi Azure provider
import pulumi_azure_native as azure_native  # Import the Azure Native provider with updated resource types

# Create a resource group for all our resources
resource_group = azure_native.resources.ResourceGroup('my-resource-group')

# Create an Azure Machine Learning workspace
ml_workspace = azure_native.machinelearningservices.Workspace(
    "ml-workspace",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    sku=azure_native.machinelearningservices.SkuArgs(
        name="Basic",  # Choose the appropriate SKU for your use case
    ),
    identity=azure_native.machinelearningservices.IdentityArgs(
        type="SystemAssigned",  # Other options include 'UserAssigned' or 'None'
    ),
)

# Now let's create a storage account required by the Azure ML workspace
storage_account = azure_native.storage.StorageAccount(
    "mystorageaccount",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    sku=azure_native.storage.SkuArgs(
        name=azure_native.storage.SkuName.STANDARD_LRS,
    ),
    kind=azure_native.storage.Kind.STORAGE_V2,
)

# Create a User-Assigned Managed Identity
user_assigned_identity = azure_native.managedidentity.UserAssignedIdentity(
    "ml-managed-identity",
    resource_group_name=resource_group.name,
    location=resource_group.location,
)

# Assign the role to Managed Identity for accessing the storage account
role_assignment = azure.authorization.RoleAssignment(
    "role-assignment",
    scope=storage_account.id,
    role_definition_name="Storage Blob Data Contributor",
    principal_id=user_assigned_identity.principal_id,
)

# Export the resulting configuration
pulumi.export('workspace_name', ml_workspace.name)
pulumi.export('user_assigned_identity_id', user_assigned_identity.client_id)

```

In this program, we create:
- A resource group (`ResourceGroup`), which is a logical container for Azure resources.
- An Azure Machine Learning workspace (`Workspace`) within the resource group with a system-assigned managed identity.
- A storage account (`StorageAccount`) for the Machine Learning workspace to use for storing data.
- A user-assigned managed identity (`UserAssignedIdentity`) that we can assign to various resources.
- A role assignment (`RoleAssignment`) that gives the managed identity the necessary permissions to the storage account.

Note that in this program, the managed identity is given the "Storage Blob Data Contributor" role, allowing it to read and write data in the storage account. Adjust the role as necessary based on the specific requirements of your enterprise security policy.

Exported values such as the workspace name and the managed identity client ID can be used in other Pulumi programs or CI/CD pipelines to reference these resources.

This program demonstrates provisioning infrastructure. To make use of the managed identity within Azure Machine Learning or other Azure services, additional configuration within those services is typically required, ensuring that they authenticate using the managed identity.