azure permissions azure-machine-learning-service azure-bicep

Bicep Azure Machine learning custom role assignment

List of role assignments:

https://learn.microsoft.com/en-us/azure/machine-learning/how-to-assign-roles?view=azureml-api-2&tabs=team-lead

i want to implement a Data Scientist Custom role. how can i create a role assignment in bicep for this

the documentation gives the following json file

{
    "Name": "Data Scientist Custom",
    "IsCustom": true,
    "Description": "Can run experiment but can't create or delete compute.",
    "Actions": ["*"],
    "NotActions": [
        "Microsoft.MachineLearningServices/workspaces/*/delete",
        "Microsoft.MachineLearningServices/workspaces/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/delete", 
        "Microsoft.Authorization/*/write"
    ],
    "AssignableScopes": [
        "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.MachineLearningServices/workspaces/<workspaceName>"
    ]
}

Solution

You need to do two things: create the custom role and assign the role. The template below:

Fetches the existing machine learning workspace.
Creates a custom role that matches the json from the example.
Assigns it to a principal specified in the parameters.

targetScope = 'resourceGroup'

@description('Required. The machine learning workspace name.')
param machineLearningWorkspaceName string

@description('Required. The principal type to assign the custom role to.')
@allowed([
  'Device'
  'ForeignGroup'
  'Group'
  'ServicePrincipal'
  'User'
])
param roleAssignmentPrincipalType string

@description('Required. The principal id of the principal to assign the custom role to.')
param roleAssignmentPrincipalId string

// Get the existing machine learning workspace.
resource machineLearningWorkspace 'Microsoft.MachineLearning/workspaces@2019-10-01' existing = {
  name: machineLearningWorkspaceName
}

// Create the custom role definition.
resource dataScientistCustomRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
  name: 'mlw-custom-role'
  properties: {
    roleName: 'Custom - Data Scientist'
    description: 'Can run experiments but can\'t create or delete compute.'
    permissions: [
      {
        actions: ['*']
        notActions: [
          'Microsoft.MachineLearningServices/workspaces/*/delete'
          'Microsoft.MachineLearningServices/workspaces/write'
          'Microsoft.MachineLearningServices/workspaces/computes/*/write'
          'Microsoft.MachineLearningServices/workspaces/computes/*/delete'
          'Microsoft.Authorization/*/write'
        ]
      }
    ]
    assignableScopes: [
      machineLearningWorkspace.id
    ]
  }
}

// Assign the role to a principal.
resource dataScientistCustomRoleRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: 'mlw-custom-role-assignment'
  scope: machineLearningWorkspace
  properties: {
    principalId: roleAssignmentPrincipalId
    principalType: roleAssignmentPrincipalType
    roleDefinitionId: dataScientistCustomRoleDefinition.id
  }
}