Assign Managed Identities to Virtual Machines for AI Workloads

Question

Pulumi · Accepted Answer

Managed identities in Azure are a feature of the Azure Active Directory that provide a secure identity mechanism for managing the authentication of services that interact with Azure resources. When creating virtual machines in Azure, you can use a system-assigned managed identity or a user-assigned managed identity to enable the VM to access other Azure resources like Storage Accounts, Databases, or other APIs with an identity that is managed by Azure AD, without needing to manage any credentials.

Here's a breakdown of how to create a virtual machine with an assigned managed identity using Pulumi:

1. **Setup**: Make sure you have Pulumi installed and configured for use with Azure.
2. **Create a Resource Group**: Resource groups in Azure serve as a logical container in which you store and manage your Azure services.
3. **Create a Virtual Network and Subnet**: Virtual machines require a virtual network and subnet within the Azure cloud to communicate with other resources.
4. **Create a Network Interface**: This will be attached to the virtual machine for network connectivity.
5. **Create a Virtual Machine**: With Pulumi, you can define the hardware and software stack of the virtual machine, along with the managed identity.
6. **Assign a Managed Identity to the VM**: System-assigned managed identities are enabled on a service and are tied to the lifecycle of that service.

I'll now provide you with a comprehensive Python program that uses Pulumi to create an Azure Virtual Machine with a system-assigned managed identity:

```python
import pulumi
from pulumi_azure_native import resources
from pulumi_azure_native import network
from pulumi_azure_native import compute

# Create a new resource group to contain the resources
resource_group = resources.ResourceGroup("rg")

# Create a virtual network and a subnet for the virtual machine
vnet = network.VirtualNetwork(
    "vnet",
    resource_group_name=resource_group.name,
    address_space=network.AddressSpaceArgs(
        address_prefixes=["10.0.0.0/16"],
    ),
)

subnet = network.Subnet(
    "subnet",
    resource_group_name=resource_group.name,
    address_prefix="10.0.1.0/24",
    virtual_network_name=vnet.name,
)

# Create a network interface for the virtual machine
network_interface = network.NetworkInterface(
    "server-nic",
    resource_group_name=resource_group.name,
    ip_configurations=[network.NetworkInterfaceIPConfigurationArgs(
        name="webserveripcfg",
        subnet=network.SubnetArgs(
            id=subnet.id,
        ),
        private_ip_allocation_method="Dynamic",
    )],
)

# Create the virtual machine with a system-assigned managed identity
vm = compute.VirtualMachine(
    "server-vm",
    resource_group_name=resource_group.name,
    network_profile=compute.NetworkProfileArgs(
        network_interfaces=[compute.NetworkInterfaceReferenceArgs(
            id=network_interface.id,
            primary=True,
        )],
    ),
    os_profile=compute.OSProfileArgs(
        computer_name="hostname",
        admin_username="testadmin",
        admin_password="Password1234!",
    ),
    storage_profile=compute.StorageProfileArgs(
        image_reference=compute.ImageReferenceArgs(
            publisher="Canonical",
            offer="UbuntuServer",
            sku="18.04-LTS",
            version="latest",
        ),
        os_disk=compute.OSDiskArgs(
            caching=compute.CachingTypes.READ_WRITE,
            managed_disk=compute.ManagedDiskParametersArgs(
                storage_account_type=compute.StorageAccountTypes.PREMIUM_LRS,
            ),
            create_option="FromImage",
            disk_size_gb=30,
        ),
    ),
    hardware_profile=compute.HardwareProfileArgs(
        vm_size="Standard_DS1_v2",
    ),
    identity=compute.VirtualMachineIdentityArgs(
        type="SystemAssigned",  # This line enables a system-assigned managed identity
    ),
    location=resource_group.location,
)

# Export the principal ID of the system-assigned managed identity of the VM
pulumi.export("principal_id", vm.identity.apply(lambda identity: identity.principal_id))
# Export the public IP address of the virtual machine to access it
pulumi.export("public_ip", network_interface.ip_configurations[0].apply(lambda ip: ip.public_ip_address))

```

In this program:

- We import necessary modules from Pulumi's Azure plugin.
- We start by creating a new resource group called `rg`, which is required to group the resources in Azure.
- Then, we define a virtual network (`vnet`) and subnet (`subnet`) for our VM, which is necessary for providing network connectivity to the VM.
- A network interface (`network_interface`) is created that will be attached to the VM.
- The actual virtual machine (`vm`) is declared, specifying the necessary profiles such as network profile, OS profile, and storage profile.
- We assign a system-managed identity to the VM using `VirtualMachineIdentityArgs`.
- Finally, we export the principal ID of the system-assigned managed identity and the public IP address of the VM that you can use to connect to it.

Remember, this program assumes you already have Pulumi and Azure CLI installed and configured. After deploying this stack using `pulumi up`, the Azure VM should be created and assigned a managed identity. You can then further configure role-based access control (RBAC) policies to grant permissions to the VM for other Azure resources as you see fit.