Role Assignments for AML Workspace Access
Overview
Role assignments for the AML workspace are managed using Terraform configurations that define scopes, principal IDs, and specific role definitions. Permissions are set within the following directory:
- Terraform Role Assignment Path:
terraform/terragrunt/dev/machine_learning/iam/role_assignment/terragrunt.hcl
Purpose of Role Assignment Blocks
The terragrunt.hcl file defines role assignments that grant specific permissions to users and compute resources within the AML workspace. Below are key sections of the role assignments:
Main Configuration Block
terraform {
source = "../../../../modules/role_assignment/"
}
Example Role Assignment Structure
Each assignment specifies:
- Principal IDs: The identity authorized to perform actions, e.g., workspace or compute cluster identities.
- Scope: The Azure resource the role applies to.
- Role Definitions: Specific Azure roles, such as
Reader,Storage Blob Data Reader,Storage Blob Data Contributor, etc.
Example Configuration
Assigning Reader and Data Reader Roles
{
ref_name = "adlsbronze"
principal_ids = [dependency.workspace.outputs.identity[0].principal_id]
scope = dependency.adls.outputs.buckets["bronze"].id
role_definition_names = ["Reader", "Storage Blob Data Reader", "Storage Queue Data Reader"]
}
Assigning Data Contributor Roles to Compute Clusters
{
ref_name = "adlsbronze"
principal_ids = [
dependency.compute.outputs.compute_clusters["cpu-cluster"].identity.principal_id,
dependency.compute.outputs.compute_clusters["gpu-cluster"].identity.principal_id
]
scope = dependency.adls.outputs.buckets["bronze"].id
role_definition_names = ["Storage Blob Data Contributor", "Storage Queue Data Contributor"]
}
Additional Resources
Refer to the following for further details:
- Group Definitions: [NIP-Lakehouse-Infra/terraform/terragrunt/neoxia_groups.yml]
- Complete Role Assignment Setup: [terraform/terragrunt/dev/machine_learning/iam/role_assignment/terragrunt.hcl]