Workspace ARM resource should repair missing permissions on other Azure objects (e.g. Key Vault)
The Microsoft.MachineLearningServices/workspaces ARM resource should be able to fix missing permissions on Azure resources it depends on (such as Key Vault access policy) when it is redeployed.
Currently, the ML Workspace creates a AAD Service Principal for itself and assigns it at least these permissions (and perhaps more) during provisioning:
- Contributor access to the Resource Group
- Contributor access to the Container Registry
- an access policy in the Key Vault allowing all operations except Purge
- Storage Blob Data Contributor access to the Storage Account
However, if anything happens to these permissions (for example, the Key Vault access policy is accidentally removed because the Key Vault was updated via an ARM template), there should be a way to easily recreate all permissions needed by the ML Workspace.
It would be most convenient if the Microsoft.MachineLearningServices/workspaces ARM resource would check and repair the permissions when it is redeployed (updated).
Hi Azure Customer,
Thank you for your feedback and providing this insight to us. This Service API exists, you can use CLI “az ml workspace sync-keys” to do it. We have opened a item to improve the discoverability through Azure Portal for customer.
Azure CXP Community
Christian Weiss commented
This looks like a blocker for using ARM templates.
Ideally, I'd like to set up a "UserAssigned" identity in the ARM template and then assign the necessary accessPolicies myself in the ARM template to that "UserAssigned" identity - together with our custom accessPolicies.
This way the accessPolicies are always active and no ML background service has to restore them (which would probably result in downtime due to Access denied errors)