Update ML Sample Pipeline to use ARM Service Connection (#36896)

scbedd · web-flow · commit 44446bdc1b43 · 2024-08-14T15:53:05.000-07:00
* utilize managed identity w/ service connection instead of static connection string for ml samples artifact upload
diff --git a/eng/pipelines/trigger-ml-sample-pipeline.yml b/eng/pipelines/trigger-ml-sample-pipeline.yml
@@ -4,7 +4,7 @@ parameters:
     default: 'ml'
   - name: Artifacts
     type: object
-    default: 
+    default:
     - name: azure-ai-ml
       safeName: azureaiml
       skipVerifyChangeLog: true
@@ -17,7 +17,9 @@ jobs:
     displayName: "Build, Upload, and PR Azure ML Changeset"
     timeoutInMinutes: 90
     variables:
-    - template: ../variables/globals.yml
+      - name: StorageAccountName
+        value: 'docsupport'
+      - template: /eng/pipelines/templates/variables/globals.yml
 
     pool:
       name: azsdk-pool-mms-ubuntu-2004-general
@@ -39,9 +41,9 @@ jobs:
         versionSpec: $(PythonVersion)
 
     - script: |
-        python -m pip install setuptools==58.3.0
-        python -m pip install -r eng/ci_tools.txt
-        python -m pip install -r eng/ml_sample_tools.txt
+        python -m pip install tools/azure-sdk-tools[build]
+        python -m pip install azure-identity
+        python -m pip install azure-storage-blob
       displayName: 'Prep Environment'
 
     - pwsh: |
@@ -61,20 +63,24 @@ jobs:
         Get-ChildItem "$(mlrepo)" -R
       displayName: Output Staging Directory
 
-    - task: PythonScript@0
-      displayName: 'Generate Samples Repo Changes'
-      env:
-        BLOB_CONNECTION_STRING: $(azure-sdk-docsupport-cs)
+    - pwsh: |
+        cat "$(mlrepo)/sdk/python/setup.sh"
+      displayName: Display setup.sh pre-update
+
+    - task: AzurePowerShell@5
+      displayName: Generate Samples Repo Changes
       inputs:
-        scriptPath: 'scripts/devops_tasks/generate_ml_sample_update.py'
-        arguments: >-
-          --ml-repo="$(mlrepo)"
-          --ml-wheel-folder="$(Build.ArtifactStagingDirectory)/azure-ai-ml"
-          --build-id="$(Build.BuildId)"
+        azureSubscription: 'Azure SDK Artifacts'
+        azurePowerShellVersion: LatestVersion
+        pwsh: true
+        ScriptType: InlineScript
+        Inline: |
+          python scripts/devops_tasks/generate_ml_sample_update.py --ml-repo "$(mlrepo)" --ml-wheel-folder "$(Build.ArtifactStagingDirectory)/azure-ai-ml" --build-id "$(Build.BuildId)" --storage-account-name "$(StorageAccountName)";
+          exit $LASTEXITCODE;
 
     - pwsh: |
         cat "$(mlrepo)/sdk/python/setup.sh"
-      displayName: Display Updated setup.sh
+      displayName: Display setup.sh post-update
 
     - template: /eng/common/pipelines/templates/steps/create-pull-request.yml
       parameters:
diff --git a/scripts/devops_tasks/generate_ml_sample_update.py b/scripts/devops_tasks/generate_ml_sample_update.py
@@ -5,6 +5,7 @@
 import re
 
 from azure.storage.blob import BlobServiceClient
+from azure.identity import AzurePowerShellCredential, ChainedTokenCredential, AzureCliCredential
 
 UPLOAD_PATTERN = "{build_id}/{filename}"
 DEFAULT_CONTAINER = os.getenv("BLOB_CONTAINER", "ml-sample-submissions")
@@ -59,14 +60,23 @@ def replace_test_install_command(content, targeted_urls):
         help=("The folder from where the the azure ml wheel will reside."),
     )
 
+    parser.add_argument(
+        "--storage-account-name",
+        dest="storage_account_name",
+        help=("The name of the storage account"),
+    )
+
+
     args = parser.parse_args()
 
     print("Input repo {}".format(args.ml_root))
     print("Folder for search {}".format(args.wheel_folder))
 
     target_glob = os.path.join(os.path.abspath(args.wheel_folder), "*.whl")
     sdk_setup_sh = os.path.join(os.path.abspath(args.ml_root), "sdk", "python", "setup.sh")
-    blob_service_client = BlobServiceClient.from_connection_string(CONNECTION_STRING)
+    credential_chain = ChainedTokenCredential(AzureCliCredential(), AzurePowerShellCredential())
+
+    blob_service_client = BlobServiceClient(account_url=f"https://{args.storage_account_name}.blob.core.windows.net", credential=credential_chain)
     container_client = blob_service_client.get_container_client(DEFAULT_CONTAINER)
     to_be_installed = []
 
