feat: add support for system-assigned managed identity and role assignments in Azure Cognitive Services

Author: Pavan-Microsoft

code/backend/batch/utilities/helpers/env_helper.py

@@ -35,6 +35,7 @@ def __load_config(self, **kwargs) -> None:
         self.secretHelper = SecretHelper()
 
         self.LOGLEVEL = os.environ.get("LOGLEVEL", "INFO").upper()
+        self.APP_ENV = os.getenv("APP_ENV", "Prod").lower()
 
         # Azure
         self.AZURE_SUBSCRIPTION_ID = os.getenv("AZURE_SUBSCRIPTION_ID", "")

code/backend/batch/utilities/integrated_vectorization/azure_search_datasource.py

@@ -36,8 +36,12 @@ def create_or_update_datasource(self):
             connection_string=connection_string,
             container=container,
             data_deletion_detection_policy=NativeBlobSoftDeleteDeletionDetectionPolicy(),
-            identity=SearchIndexerDataUserAssignedIdentity(
-                user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+            identity=(
+                None
+                if getattr(self.env_helper, "APP_ENV", "").lower() == "dev"
+                else SearchIndexerDataUserAssignedIdentity(
+                    user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+                )
             ),
         )
         self.indexer_client.create_or_update_data_source_connection(

code/backend/batch/utilities/integrated_vectorization/azure_search_index.py

@@ -145,8 +145,12 @@ def get_vector_search_config(self):
             azure_open_ai_parameters = AzureOpenAIParameters(
                 resource_uri=self.env_helper.AZURE_OPENAI_ENDPOINT,
                 deployment_id=self.env_helper.AZURE_OPENAI_EMBEDDING_MODEL,
-                auth_identity=SearchIndexerDataUserAssignedIdentity(
-                    user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+                auth_identity=(
+                    None
+                    if getattr(self.env_helper, "APP_ENV", "").lower() == "dev"
+                    else SearchIndexerDataUserAssignedIdentity(
+                        user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+                    )
                 ),
             )
 

code/backend/batch/utilities/integrated_vectorization/azure_search_skillset.py

@@ -96,8 +96,12 @@ def create_skillset(self):
                 if self.env_helper.is_auth_type_keys()
                 else None
             ),
-            auth_identity=SearchIndexerDataUserAssignedIdentity(
-                user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+            auth_identity=(
+                None
+                if getattr(self.env_helper, "APP_ENV", "").lower() == "dev"
+                else SearchIndexerDataUserAssignedIdentity(
+                    user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+                )
             ),
             inputs=[
                 InputFieldMappingEntry(name="text", source="/document/pages/*"),

infra/main.bicep

@@ -872,6 +872,21 @@ module search 'modules/core/search/search-services.bicep' = if (databaseType ==
         principalType: 'User'
       }
     ] : [])
+    enableSystemAssigned: true
+    systemAssignedRoleAssignments: [
+      {
+        resourceId: storage.outputs.id
+        roleName: 'Storage Blob Data Contributor'
+        roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+        principalType: 'ServicePrincipal'
+      }
+      {
+        resourceId: openai.outputs.resourceId
+        roleName: 'Cognitive Services User'
+        roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
+        principalType: 'ServicePrincipal'
+      }
+    ]
   }
 }