azureazure-machine-learning-serviceazure-bicepbicep

Unable to access azureml datastore

full error "Unable to access data because you do not have 'Microsoft.MachineLearningServices/workspaces/datastores/listsecrets/action' permission in your role assignment for this workspace. Please contact your admin to assign you a role with this permission if you want to preview or access the data."

I have created a machine learning bicep file with all resources required. However getting the above error.

my bicep file contains the following i also have all required resources such as applicationInsights,containerRegistry,keyVault,storageAccount. The resources deploys successfully however when i go into azure machine learning click on datastore i get the error.

resource machineLearning 'Microsoft.MachineLearningServices/workspaces@2020-08-01' = {
  name: 'mlw'
  location: 'loc'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    // dependent resources
    applicationInsights: appInsights.id
    containerRegistry: containerRegistry.id
    keyVault: keyVaultId
    storageAccount: storage.id
  }
}

resource amlci 'Microsoft.MachineLearningServices/workspaces/computes@2020-08-01' = {
  name: 'mlw-cluster'
  parent: machineLearning
  location: loc
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    computeType: 'AmlCompute'
    properties: {
      vmSize: 'Standard_DS3_v2'
      subnet: null
      osType: 'Linux'
      scaleSettings: {
        maxNodeCount: 5
        minNodeCount: 0
      }
    }
  }
}

enter image description here

I have contributor rights

enter image description here

Solution

  • Self fixed adding for future reference for others as @Vinay B said assigning role assignments is required. I added the the AzureMLDataScientistRoleDefinition. This allows access to the datastore and entire workspace. the guid for this role is f6c7c914-8db3-469d-8ca1-694a8f32e121.

       @description('This is the built-in  azureml data scientist role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles')
    resource AzureMLDataScientistRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
      scope: subscription()
      name: 'f6c7c914-8db3-469d-8ca1-694a8f32e121'
    }
    
    resource AzureMLDataScientistRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
      name: guid(machineLearning.id, AzureMLDataScientistRoleDefinition.id)
      properties: {
        roleDefinitionId: AzureMLDataScientistRoleDefinition.id
        principalId:'mygroupid'
        principalType: 'Group'
      }
      //reference to your machine learning workspace
      scope: machineLearning
    }