Role-Based Access Control for Azure ML Workspaces
PythonRole-Based Access Control (RBAC) is a system that provides fine-grained access management to resources. When it comes to Azure Machine Learning workspaces, you can assign roles to users, groups, applications, and managed identities to control who can do what with specific resources in Azure. For example, in an Azure ML workspace, you might want different permissions for data scientists and engineers who need to deploy models.
Below, I'll show you how to define RBAC for an Azure Machine Learning workspace using Pulumi in Python. You'll create an Azure ML workspace and assign a role to a user.
First, ensure you have the following requirements in your development environment:
- Pulumi CLI installed.
- Azure CLI installed and configured with an account that has permissions to manage Azure resources.
- Python 3.x installed.
- An Azure subscription where you have permissions to create resources.
In our Pulumi program, you'll need to import the required Pulumi Azure Native package to create and manage Azure resources. Then we will:
- Create the Machine Learning Workspace.
- Define a role assignment that grants a user Contributor access to the workspace.
The Azure Pulumi package
pulumi_azure_nativewill be used and we will leverage theWorkspaceclass to create a Machine Learning workspace, and theRoleAssignmentclass to define RBAC.Let's start with the program.
import pulumi import pulumi_azure_native.authorization as authorization import pulumi_azure_native.machinelearningservices as ml from pulumi_azure_native.resources import ResourceGroup # Firstly, you will create a new resource group where your resources will live resource_group = ResourceGroup("resource_group") # Creating the Azure ML Workspace ml_workspace = ml.Workspace( "ml_workspace", resource_group_name=resource_group.name, location=resource_group.location, sku=ml.SkuArgs( name="Basic", # Choose the appropriate SKU for your case, "Basic" should be fine for most scenarios ), ) # In this step, you assign a role to a user to access the ML Workspace # You will need the following: # - The role definition ID for the role you wish to assign (I will use the Contributor role as an example) # - The ID of the principal (user, group, or service principal) you want to assign the role to # Replace <principal-id> with the actual ID of the user or service principal you want to assign the role to principal_id = "<principal-id>" # Assigning the Contributor role to a user for the ML Workspace (you could look up the role definition dynamically as well) role_assignment = authorization.RoleAssignment( "role_assignment", scope=ml_workspace.id, role_definition_id=f"/subscriptions/{pulumi.config.get('azure-native:subscriptionId')}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", principal_id=principal_id, principal_type=authorization.PrincipalType.USER, ) # Export the outputs - in this case, the Azure ML Workspace URL pulumi.export("workspace_url", ml_workspace.workspace_url)In the above program:
- We start by importing necessary modules from the Pulumi Azure Native SDK.
- We create a new resource group where our workspace will reside.
- We instantiate an ML workspace with basic SKU within the created resource group.
- We define a role assignment with the Contributor role, which gives broad access to manage resources in the workspace, but does not allow the assignee to grant roles to others.
- Lastly, we export the URL of the workspace for easy access.
Please replace
<principal-id>with the actual ID of the user or service principal you wish to assign the Contributor role. You can find this ID in the Azure Portal or via the Azure CLI.This program sets up your Azure ML workspace and assigns the necessary permissions for a user to act as a Contributor. If you need other roles or a different setup, adjust the role definition and assignment accordingly.
Make sure to run
pulumi upto deploy these resources to your Azure subscription. The command will provide a preview and ask for confirmation before making any changes.