Reputation: 951
Azure RBAC Compute Cluster creation with python SDK v2
I am using terraform to create an AML workbench with compute clusters. Once deployed, I have a project on my local computer that I want to make run on a compute cluster.
So I take the python Azure SDK V2 to get a compute, an MLClient, define a pipeline and publish it.
pipeline_job = create_pipeline(commands, "test", experiment_name, experiment_name)
pipeline_job = ml_client.jobs.create_or_update(pipeline_job)
print(pipeline_job)
But I get this error:
Message: The client '[email protected]' with object id 'xxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.MachineLearningServices/workspaces/computes/read' over scope '/subscriptions/xxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxx/resourceGroups/my-ressource-group-name/providers/Microsoft.MachineLearningServices/workspaces/my-machine-learning-workbench/computes/test' or the scope is invalid. If access was recently granted, please refresh your credentials.
So I check the roles, my user had only the AzureML Data Scientist role, that might not be sufficent to use a compute cluster.
So I created a custom role with the read over compute an assigned to it. Here is the recap of the role:
{
"id": "/subscriptions/xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxxxxxx",
"properties": {
"roleName": "AZURE-Datascience-AML-Contributor",
"description": "This role is used for AML",
"assignableScopes": [
"/subscriptions/xxxxxxxxxxxx/resourceGroups/my-ressource-group"
],
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/*/read",
"Microsoft.MachineLearningServices/workspaces/*/action",
"Microsoft.MachineLearningServices/workspaces/*/delete",
"Microsoft.MachineLearningServices/workspaces/*/write",
"Microsoft.Network/virtualNetworks/*/read",
"Microsoft.Network/virtualNetworks/subnets/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
But it still fail to create a Job via Python. Here is the full list of non-custom roles that I assigned to my self with terraform:
[
"Storage Queue Data Contributor",
"AzureML Data Scientist",
"AzureML Compute Operator",
"Network Contributor",
"Data Factory Contributor",
"Contributor",
"Key Vault Contributor",
"Support Request Contributor",
"Storage Blob Data Contributor",
"Storage Account Key Operator Service Role",
"Cognitive Services User",
"Cognitive Services Contributor",
"Cognitive Services Usages Reader",
"DocumentDB Account Contributor",
"Key Vault Secrets Officer",
"Reader",
"Owner",
"AzureML Registry User",
],
I assign this on the ressource group where the Machine learning workbench is. So I inherint the roles for AML.
But with all this, I still don't have the permission to create a job with python. But I can create it inside the Machine Learning Studio.
So I should be missing something, but I have no clue on what it is, some API role?
Upvotes: 1
Views: 118
Answers (1)
Reputation: 951
I found my error.
My config.json file to connect to the Workspace was wrong.
Since I deal with multiple AML Workspace, I did not get the correct subscription_id in the file.
{
"subscription_id": "xxxxxxxxxxxxxxxxxxxx",
"resource_group": "my-ressource-group",
"workspace_name": "my-machine-learning-workbench"
}
So roles I created/assigned were correct. (Might be even too large)
Upvotes: 0
Related Questions
- User XXX does not have access to compute instance YYY. Azure Machine Learning
- AML Compute instance and Compute cluster roles rbac
- Cannot create secret scope: Azure KeyVault is not available. Terraform
- Azure RBAC role 'ConfigureFactoryRepo' is required to be granted over the entire subscription to Terraform Service Principal to spin up Data Factory
- Azure ML - Error starting compute instance
- Difference between managing resources vs accessing resources in Azure RBAC
- Role assignment authorization failed for new resource group created from ARM template in Azure DevOps
- Divide Owner RBAC Role of Azure
- azure container with RBAC
- Admin consent flow for azure monitor (insights) api