1. Using azure-native managedidentity with purview

    TypeScript

    To use Azure Managed Identity with Azure Purview, you need to create an instance of User Assigned Identity in Azure and then grant this identity appropriate access to your Azure Purview account. Managed Identity provides an identity for applications to use when connecting to resources that support Azure AD authentication.

    Here's how you can create a User Assigned Identity and assign it to an Azure Purview account using Pulumi with TypeScript:

    Step 1: Create a User Assigned Identity

    You create a User Assigned Identity resource, which can be used by your Azure Purview account (or any other Azure services) to authenticate and authorize requests.

    Step 2: Grant Access to Purview

    After the identity is created, you assign it the necessary role to your Purview account. This is typically done using Role Assignments. The exact roles you assign will depend upon what actions the Managed Identity should be able to perform on the Purview account.

    Below is a Pulumi program written in TypeScript that demonstrates these steps. Before running this Pulumi program, make sure to have your Azure environment set up with an existing Purview account, and Pulumi installed and configured to use your Azure account.

    import * as pulumi from "@pulumi/pulumi"; import * as managedidentity from "@pulumi/azure-native/managedidentity"; import * as authorization from "@pulumi/azure-native/authorization"; import * as purview from "@pulumi/azure-native/purview"; // Replace with the correct values for your environment const resourceGroupName = 'your-resource-group'; const purviewAccountName = 'your-purview-account'; const location = 'your-location'; // e.g., 'West US' // Create a User Assigned Identity const identity = new managedidentity.UserAssignedIdentity("myIdentity", { resourceGroupName: resourceGroupName, location: location, }); // Get the ID of your Purview account // Note: This assumes the Purview account is already deployed. If not, you would need to deploy it using Pulumi. const purviewAccount = purview.Account.get("myPurviewAccount", `/subscriptions/<subscription-id>/resourceGroups/${resourceGroupName}/providers/Microsoft.Purview/accounts/${purviewAccountName}`); // Assign the "Purview Data Curator" role to the Managed Identity for the Purview account const roleAssignment = new authorization.RoleAssignment("myRoleAssignment", { principalId: identity.principalId, roleDefinitionId: pulumi.interpolate`/subscriptions/${pulumi.getConfig("azure:subscriptionId")}/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000`, // Replace with the actual role definition ID for "Purview Data Curator" scope: purviewAccount.id, }); // Export the principal ID of the Managed Identity and the role assignment ID export const identityPrincipalId = identity.principalId; export const roleAssignmentId = roleAssignment.id;

    Replace the placeholder values for resourceGroupName, purviewAccountName, location, and the role definition ID (commented with "Replace with the actual role definition ID for 'Purview Data Curator'") with your actual Azure information.

    The program does the following:

    • It creates a new User Assigned Identity named myIdentity within the provided resource group and location.
    • It fetches the Purview account details assuming it already exists (purview.Account.get(...)), specifically its ID to be used in the Role Assignment.
    • It then creates a new Role Assignment that grants the "Purview Data Curator" role to the managed identity for the specified scope (which in this case, is the Purview account). Note that you'll need to find and provide the actual role definition ID that corresponds to the "Purview Data Curator" role.
    • Lastly, it exports the principal ID of the User Assigned Identity and the ID of the Role Assignment so you can use these in other parts of your infrastructure if necessary.

    Remember to install the required Pulumi packages for your project using npm or yarn:

    npm install @pulumi/pulumi @pulumi/azure-native

    or

    yarn add @pulumi/pulumi @pulumi/azure-native

    Please replace the placeholder subscription ID and the role definition ID with the correct ones suitable for your scenario. You can find role definition IDs by inspecting existing roles in the Azure portal or by using the Azure CLI. The "Purview Data Curator" is an example role; you'll want to use the role that aligns with the permissions you wish to grant to the Managed Identity for interacting with Purview. If the Purview account is not deployed, you will also create it using Pulumi similarly to how the User Assigned Identity is created.

    Once the program is ready and the Pulumi CLI is set up, you can deploy this infrastructure using the pulumi up command.