Merge pull request #211885 from rastala/ci-msi

prmerger-automator[bot] · web-flow · commit b8dbf31c090d · 2022-09-28T16:41:49.000Z
Update how-to-create-manage-compute-instance.md
diff --git a/articles/machine-learning/how-to-create-manage-compute-instance.md b/articles/machine-learning/how-to-create-manage-compute-instance.md
@@ -428,6 +428,58 @@ Following is a sample policy to default a shutdown schedule at 10 PM PST.
 }    
 ```
 
+## Assign managed identity (preview)
+
+You can assign a system- or user-assigned [managed identity](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) to a compute instance, to autheticate against other Azure resources such as storage. Using managed identities for authentication helps improve workspace security and management. For example you can allow users to access training data only when logged in to compute instance, or use a common user-assigned managed identity to permit access to a specific storage account. 
+
+You can create compute instance with managed identity from Azure ML Studio:
+
+1.	Fill out the form to [create a new compute instance](?tabs=azure-studio#create).
+1.	Select **Next: Advanced Settings**.
+1.	Enable **Assign a managed identity**.
+1.  Select **System-assigned** or **User-assigned** under **Identity type**.
+1.  If you selected **User-assigned**, select subscription and name of the identity.
+
+You can use V2 CLI to create compute instance with assign system-assigned managed identity:
+
+```azurecli
+az ml compute create --name myinstance --identity-type SystemAssigned --type ComputeInstance --resource-group my-resource-group --workspace-name my-workspace
+```
+
+You can also use V2 CLI with yaml file, for example to create a compute instance with user-assigned managed identity:
+
+```azurecli
+azure ml compute create --file compute.yaml --resource-group my-resource-group --workspace-name my-workspace
+```
+
+The identity definition is contained in compute.yaml file:
+
+```yaml
+https://azuremlschemas.azureedge.net/latest/computeInstance.schema.json
+name: myinstance
+type: computeinstance
+identity:
+  type: user_assigned
+  user_assigned_identities: 
+    - resource_id: identity_resource_id
+```
+
+Once the managed identity is created, enable [identity-based data access enabled](how-to-identity-based-data-access.md) to your storage accounts for that identity. Then, when you worki on the compute instance, the managed identity is used automatically to authenticate against data stores.
+
+You can also use the managed identity manually to authenticate against other Azure resources. For example, to use it to get ARM access token, use following.
+
+```python
+import requests
+
+def get_access_token_msi(resource):
+    client_id = os.environ.get("DEFAULT_IDENTITY_CLIENT_ID", None)
+    resp = requests.get(f"{os.environ['MSI_ENDPOINT']}?resource={resource}&clientid={client_id}&api-version=2017-09-01", headers={'Secret': os.environ["MSI_SECRET"]})
+    resp.raise_for_status()
+    return resp.json()["access_token"]
+
+arm_access_token = get_access_token_msi("https://management.azure.com")
+```
+
 ## Add custom applications such as RStudio (preview)
 
 You can set up other applications, such as RStudio, when creating a compute instance. Follow these steps in studio to set up a custom application on your compute instance
@@ -437,7 +489,7 @@ You can set up other applications, such as RStudio, when creating a compute inst
 1.	Select **Add application** under the **Custom application setup (RStudio Workbench, etc.)** section
  
 :::image type="content" source="media/how-to-create-manage-compute-instance/custom-service-setup.png" alt-text="Screenshot showing Custom Service Setup.":::
- 
+
 ### Setup RStudio Workbench
 
 RStudio is one of the most popular IDEs among R developers for ML and data science projects. You can easily set up RStudio Workbench to run on your compute instance, using your own RStudio license, and access the rich feature set that RStudio Workbench offers.
