Manage access to an Azure Machine Learning workspace

Rating & reviews (0 reviews)
Study Notes

It is critical who has access and what he can do in ML workspace.

Role Access Levels:
  • AzureML Data Scientist
    Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.
  • AzureML Compute Operator
    Can create, manage and access compute resources within a workspace.
  • Reader
    Read-only actions in the workspace. Readers can list and view assets, including datastore credentials, in a workspace. Readers can't create or update these assets.
  • Contributor
    View, create, edit, or delete (where applicable) assets in a workspace. For example, contributors can create an experiment, create or attach a compute cluster, submit a run, and deploy a web service.
  • Owner
    Full access to the workspace, including the ability to view, create, edit, or delete (where applicable) assets in a workspace. Additionally, you can change role assignments.
  • AzureML Registry User
    Can get registries, and read, write and delete assets within them. Cannot create new registry resources or delete them.
It is possible to create custom roles, out of scope here. More info see References section.


An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.
This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.
For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.


Create a service principal using Azure portal

1.
Go to Azure Active Directory
Select App Registrations > New Registration
Enter a name for the application
Click Register
You will be taken to Application.

2.
Go to Certificates & secrets
Click New client secret,
Write Description and when Expire.
Click Add

3.
In list will be shown the fresh generated client secret
Write down and keep safe the Value, it will not be shown again.
Note:
Secret ID
Will be referred later as Password.

4.
Click on Overview
Write down:
Client ID
Tenant ID


Create a service principal using Azure CLI
Command prompt Visual studio

1.
# Login (interactive process)
az login

If you have multiple subscriptions or you do not know the ID
# Find subscriptions details
az account list -o table

# Set current subscriptions
az account set -s <Subscription ID>

# Assume to create a an Azure Service Principal
# Name: ml-auth-contributor
# Role: Contributor
#Scope: All Workspaces in whole subscription id: Contributor
az ad sp create-for-rbac --name ml-auth-contributor --role Contributor --scopes /subscriptions/nnnnnnnnnnnn-nnnnnnnnnnnnn-nnnnnnnnnnnn
Result:
Creating 'Contributor' role assignment under scope '/subscriptions/nnnn-nnnnnn-nnnnnnn'
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
{
"appId": "aaaaaaaaaaaaaa-aaaaaaaaaaaaaa-aaaaaaaaaaaa",
"displayName": "ml-auth1",
"password": "ppppppppppppppppp-ppppppppppppp-pppppppppp",
"tenant": "ttttttttttttt-ttttttttttttttt-tttttttttttttt"
}

appId will be reffered as Client ID

How to use Service Principal
Jupyter note.

Example:
Get WorkSpace to be used in experiment.


If you have not yet:
pip install azure.identity
pip install azure.mgmt.support

Login (usingAzure service principal)
from azure.mgmt.support import MicrosoftSupport
from msrestazure.azure_active_directory import ServicePrincipalCredentials

#sub_id = "<SUBSCRIPTION_ID>"
sp_creds = ServicePrincipalCredentials(client_id='<APP_CLIENT_ID>', secret='<SECRET_OR_PASSWPRD>')
#SupportClient = MicrosoftSupport(sp_creds, sub_id)

Set workspace.
from azureml.core import Workspace

ws = Workspace(
subscription_id="<SUBSCRIPTION_ID>",
resource_group="<RESOURCE_GROUP_NAME>",
workspace_name="<WORKSPACE_NAME>"
)
print (ws)
Result:
Workspace.create(name='<WORKSPACE_NAME>', subscription_id='<SUBSCRIPTION_ID>', resource_group='<RESOURCE_GROUP_NAME>'

Or

Make sure there is:
./,azureml/config.json
{
"subscription_id": "<SUBSCRIPTION_ID>",
"resource_group": "<RESOURCE_GROP_NAME>",
"workspace_name": "<WORKSPACE_NAME>"
}

Run:
from azureml.core import Workspace

ws = Workspace.from_config()
print(ws)
Result:
Workspace.create(name='<WORKSPACE_NAME>', subscription_id='<SUBSCRIPTION_ID>', resource_group='<RESOURCE_GROP_NAME>')


To continue:
!!!Set up authentication - Azure Machine Learning | Microsoft Learn

Resources:
Manage roles in your workspace - Azure Machine Learning | Microsoft Learn
Create an Azure service principal – Azure CLI | Microsoft Learn
Azure ML Package client library for Python | Microsoft Learn
Set up authentication - Azure Machine Learning | Microsoft Learn
Manage workspaces in portal or Python SDK (v2) - Azure Machine Learning | Microsoft Learn
az ml workspace | Microsoft Learn
azureml.core.workspace.Workspace class - Azure Machine Learning Python | Microsoft Learn
Workspace | Azure Machine Learning



Tags: workspace / azure cli / azure ml / Azure service principal / contributor / Azure Active Directory / RBAC / azure.mgmt.support / azure.identity / ServicePrincipalCredentials

 

© 2024, CORIFEANU