azureazure-machine-learning-serviceazure-bicep

Unable to access azureml datastore


full error "Unable to access data because you do not have 'Microsoft.MachineLearningServices/workspaces/datastores/listsecrets/action' permission in your role assignment for this workspace. Please contact your admin to assign you a role with this permission if you want to preview or access the data."

I have created a machine learning bicep file with all resources required. However getting the above error.

my bicep file contains the following i also have all required resources such as applicationInsights,containerRegistry,keyVault,storageAccount. The resources deploys successfully however when i go into azure machine learning click on datastore i get the error.

resource machineLearning 'Microsoft.MachineLearningServices/workspaces@2020-08-01' = {
  name: 'mlw'
  location: 'loc'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    // dependent resources
    applicationInsights: appInsights.id
    containerRegistry: containerRegistry.id
    keyVault: keyVaultId
    storageAccount: storage.id
  }
}

resource amlci 'Microsoft.MachineLearningServices/workspaces/computes@2020-08-01' = {
  name: 'mlw-cluster'
  parent: machineLearning
  location: loc
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    computeType: 'AmlCompute'
    properties: {
      vmSize: 'Standard_DS3_v2'
      subnet: null
      osType: 'Linux'
      scaleSettings: {
        maxNodeCount: 5
        minNodeCount: 0
      }
    }
  }
}


enter image description here

I have contributor rights

enter image description here


Solution

  • Self fixed adding for future reference for others as @Vinay B said assigning role assignments is required. I added the the AzureMLDataScientistRoleDefinition. This allows access to the datastore and entire workspace. the guid for this role is f6c7c914-8db3-469d-8ca1-694a8f32e121.

       @description('This is the built-in  azureml data scientist role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles')
        resource AzureMLDataScientistRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
          scope: subscription()
          name: 'f6c7c914-8db3-469d-8ca1-694a8f32e121'
        }
        
        resource AzureMLDataScientistRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
          name: guid(machineLearning.id, AzureMLDataScientistRoleDefinition.id)
          properties: {
            roleDefinitionId: AzureMLDataScientistRoleDefinition.id
            principalId:'mygroupid'
            principalType: 'Group'
          }
          //reference to your machine learning workspace
          scope: machineLearning
        }