Workspace ARM resource should repair missing permissions on other Azure objects (e.g. Key Vault)
The Microsoft.MachineLearningServices/workspaces ARM resource should be able to fix missing permissions on Azure resources it depends on (such as Key Vault access policy) when it is redeployed.
Currently, the ML Workspace creates a AAD Service Principal for itself and assigns it at least these permissions (and perhaps more) during provisioning:
- Contributor access to the Resource Group
- Contributor access to the Container Registry
- an access policy in the Key Vault allowing all operations except Purge
- Storage Blob Data Contributor access to the Storage Account
However, if anything happens to these permissions (for example, the Key Vault access policy is accidentally removed because the Key Vault was updated via an ARM template), there should be a way to easily recreate all permissions needed by the ML Workspace.
It would be most convenient if the Microsoft.MachineLearningServices/workspaces ARM resource would check and repair the permissions when it is redeployed (updated).