Managed Identities for AI Services on Azure with Azure AD Users
PythonManaged Identities on Azure provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use this identity to authenticate to any service that supports Azure AD authentication, including your own applications, Azure services, and Microsoft services. When using Managed Identities, there is no need to manage credentials, as Azure takes care of rolling the credentials over time.
AI services on Azure can also use Managed Identities to securely access other Azure resources. This can help in scenarios where an AI service needs to pull data from a storage account or write logs to an Azure Monitor.
To create Managed Identities and set them up for AI services on Azure, you often couple them with Azure AD users, which can also be managed via Pulumi code.
Below is a Pulumi program written in Python that sets up a Managed Identity for Azure AI services and an Azure AD User. This program utilizes the
azure-native
provider which is the preferred way to interface with Azure resources using Pulumi.Before running this program, you need to have Pulumi CLI and Azure CLI installed and configured on your machine. You should be logged in to your Azure account via Azure CLI (
az login
) where you intend to deploy these resources.import pulumi import pulumi_azure_native as azure_native # Create a User Assigned Identity for an Azure AI service ai_identity = azure_native.managedidentity.UserAssignedIdentity( "aiIdentity", # The location for the identity must be the same as the location of the resource that it will be associated with location="East US" ) # Export the ID of the User Assigned Identity pulumi.export('ai_identity_id', ai_identity.id) # Azure AD User parameters (replace with actual desired values) aad_user_params = { 'user_principal_name': 'ai_user@example.com', 'display_name': 'AI User Managed Identity', 'password': 'Complex_password123!' } # Create an Azure AD User for secure access to Azure services aad_user = azure_native.graphrbac.User( "aadUser", user_principal_name=aad_user_params['user_principal_name'], # Unique username within the Azure AD domain display_name=aad_user_params['display_name'], # Display name of the user password=aad_user_params['password'], # A Strong password # Other optional parameters can be provided based on requirements # such as account_enabled, mail_nickname, etc. ) # Export the User Principal Name of the Azure AD User pulumi.export('aad_user_principal_name', aad_user.user_principal_name)
This Pulumi program does the following:
- It imports the required Pulumi modules.
- It defines a User Assigned Identity with the name
aiIdentity
, which AI services can use to authenticate against Azure resources that support Managed Identities. - It exports the identity ID for later reference in other operations like granting the Identity access to specific Azure resources.
- It sets up an Azure Active Directory (AD) user with a provided user principal name, display name, and password.
- Finally, it exports the User Principal Name so that you can use it for other configurations or references.
To run this Pulumi program, save the code to a file named
__main__.py
, navigate to this directory in your command line, and executepulumi up
. This will prompt Pulumi to perform an update, which involves creating the resources defined in the code in your Azure subscription.Please replace placeholders like
ai_user@example.com
andComplex_password123!
with actual values that conform to your Azure AD policies.Keep in mind that managing users and credentials in code brings up important security considerations. Passwords and other credentials should ideally be managed via a secure secret store and not hardcoded in your Pulumi programs.