Federated Azure Credentials for Automated AI Pipelines.

Question

Pulumi · Accepted Answer

Federated identity in Azure enables external identities to assume a role within your Azure environment, granting permissions to Azure resources. This capability is particularly useful when setting up automated AI pipelines where resources may need to be accessed by applications or services not directly within your Azure Active Directory (AAD). Federated credentials facilitate this by allowing external identities (like those from another AAD, Microsoft Account, or a service principal in another cloud provider) to be granted access.

For instance, if you are automating AI pipelines that need to access Azure resources, you might employ Azure Managed Identity, enabling your services to easily get Azure Active Directory tokens. Furthermore, in an environment where different Azure services (like Azure Functions or Azure Logic Apps) need to access resources (like Azure Machine Learning or Azure Storage), managed identities can securely automate this without needing to manage credentials.

In the context of Pulumi, you would use the Azure Native provider's `FederatedIdentityCredential` class to create federated credentials. The code below demonstrates how you would set this up using Pulumi's Python SDK.

```python
import pulumi
import pulumi_azure_native as azure_native

# Create a federated identity credential.
# These details would typically come from an external identity provider.
federated_credential = azure_native.managedidentity.FederatedIdentityCredential(
    resource_name="myFederatedCredential",  # Name of the federated credential resource.
    resource_group_name="myResourceGroup",  # Name of the resource group.
    issuer="external-issuer",  # Issuer of the federated credential.
    subject="subject-id",  # Subject identifier in the issuer's namespace.
    audiences=["api://AzureADTokenExchange"]  # Intended audiences for the credential.
)

# Export the ID of the federated credential to access it in subsequent runs or other stacks.
pulumi.export('federated_credential_id', federated_credential.id)
```

In this code:

- We import the required `pulumi` and `pulumi_azure_native` modules.
- We then define a `FederatedIdentityCredential` resource, which creates the federated identity credential in Azure.
- `resource_name` will be the name assigned to this federated credential resource.
- `resource_group_name` is where the federated identity credential will be placed in your Azure subscription.
- The `issuer` is an external identity provider that issues the assertions.
- The `subject` is the unique identifier for the user, device, or service principal that the token is issued to.
- `audiences` are the intended recipients of the inbound federated tokens.
- Finally, we use `pulumi.export` to output the ID of the federated credential, which can then be used in your automated AI workflows.

Remember to replace `"myFederatedCredential"`, `"myResourceGroup"`, `"external-issuer"`, and `"subject-id"` with the actual values you intend to use, and to add the issuer and subject configuration corresponding to the identity provider you're federating with.

For more details, check the documentation for `FederatedIdentityCredential`:
- [azure-native.managedidentity.FederatedIdentityCredential](https://www.pulumi.com/registry/packages/azure-native/api-docs/managedidentity/federatedidentitycredential/)

This forms the foundation upon which you can build more complex interactions with Azure resources in your automated AI pipelines, ensuring secure and automated authentication and authorization processes.