From 6b0b574e2109217ca22d91c724becd8bf54b5984 Mon Sep 17 00:00:00 2001 From: Abdul-Microsoft Date: Fri, 9 May 2025 17:27:40 +0530 Subject: [PATCH 1/3] fix for disable local auth issues --- infra/deploy_ai_foundry.bicep | 11 ++++------- infra/main.bicep | 11 ++++++++++- infra/main.json | 23 +++++++++++++++++------ 3 files changed, 31 insertions(+), 14 deletions(-) diff --git a/infra/deploy_ai_foundry.bicep b/infra/deploy_ai_foundry.bicep index 328a37ea..a922a6b1 100644 --- a/infra/deploy_ai_foundry.bicep +++ b/infra/deploy_ai_foundry.bicep @@ -6,7 +6,7 @@ param gptModelName string param gptModelVersion string param managedIdentityObjectId string param aiServicesEndpoint string -param aiServices object +param aiServicesKey string param aiServicesId string var storageName = '${solutionName}hubstorage' @@ -133,11 +133,8 @@ resource aiHub 'Microsoft.MachineLearningServices/workspaces@2023-08-01-preview' properties: { category: 'AIServices' target: aiServicesEndpoint - authType: 'ApiKey' + authType: 'AAD' isSharedToAll: true - credentials: { - key: aiServices.Key.key1 - } metadata: { ApiType: 'Azure' ResourceId: aiServicesId @@ -187,7 +184,7 @@ resource azureOpenAIApiKeyEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-01-pr parent: keyVault name: 'AZURE-OPENAI-KEY' properties: { - value: aiServices.Key.key1 //aiServices_m.listKeys().key1 + value: aiServicesKey //aiServices_m.listKeys().key1 } } @@ -251,7 +248,7 @@ resource cogServiceKeyEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-01-previe parent: keyVault name: 'COG-SERVICES-KEY' properties: { - value: aiServices.Key.key1 + value: aiServicesKey } } diff --git a/infra/main.bicep b/infra/main.bicep index cdaf6ddd..dd9253ce 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -168,7 +168,7 @@ module aifoundry 'deploy_ai_foundry.bicep' = { gptModelVersion: gptModelVersion managedIdentityObjectId: managedIdentityModule.outputs.managedIdentityOutput.objectId aiServicesEndpoint: aiServices.properties.endpoint - aiServices: aiServices + aiServicesKey: aiServices.listKeys().key1 aiServicesId: aiServices.id } scope: resourceGroup(resourceGroup().name) @@ -462,6 +462,15 @@ resource aiDeveloperAccessProj 'Microsoft.Authorization/roleAssignments@2022-04- } } +resource aiDevelopertoAIProject 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(aiServices.name, aiHubProject.id, aiDeveloper.id) + scope: aiServices + properties: { + roleDefinitionId: aiDeveloper.id + principalId: aiHubProject.identity.principalId + } +} + var cosmosAssignCli = 'az cosmosdb sql role assignment create --resource-group "${resourceGroup().name}" --account-name "${cosmos.name}" --role-definition-id "${cosmos::contributorRoleDefinition.id}" --scope "${cosmos.id}" --principal-id "${containerApp.identity.principalId}"' module managedIdentityModule 'deploy_managed_identity.bicep' = { diff --git a/infra/main.json b/infra/main.json index ccecd875..5856f035 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.35.1.17967", - "templateHash": "18228555099764132241" + "templateHash": "8798142813454376636" } }, "parameters": { @@ -546,6 +546,20 @@ "containerApp" ] }, + "aiDevelopertoAIProject": { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', variables('aiServicesName'))]", + "name": "[guid(variables('aiServicesName'), resourceId('Microsoft.MachineLearningServices/workspaces', format('{0}-aiproject', parameters('prefix'))), resourceId('Microsoft.Authorization/roleDefinitions', '64702f94-c441-49e6-a78b-ef80e0188fee'))]", + "properties": { + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '64702f94-c441-49e6-a78b-ef80e0188fee')]", + "principalId": "[reference('aiHubProject', '2024-01-01-preview', 'full').identity.principalId]" + }, + "dependsOn": [ + "aiHubProject", + "aiServices" + ] + }, "kvault": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -712,7 +726,7 @@ "_generator": { "name": "bicep", "version": "0.35.1.17967", - "templateHash": "9490638595753234802" + "templateHash": "12578060348489775267" } }, "parameters": { @@ -767,11 +781,8 @@ "properties": { "category": "AIServices", "target": "[parameters('aiServicesEndpoint')]", - "authType": "ApiKey", + "authType": "AAD", "isSharedToAll": true, - "credentials": { - "key": "[parameters('aiServicesKey')]" - }, "metadata": { "ApiType": "Azure", "ResourceId": "[parameters('aiServicesId')]" From dc88a5c4b59f2f5b85469cd955570c6720d0a7a1 Mon Sep 17 00:00:00 2001 From: Abdul-Microsoft Date: Tue, 13 May 2025 08:39:25 +0530 Subject: [PATCH 2/3] refactor: update AI project role assignment --- infra/deploy_ai_foundry.bicep | 13 +++++++++++++ infra/main.bicep | 9 --------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/infra/deploy_ai_foundry.bicep b/infra/deploy_ai_foundry.bicep index a922a6b1..217c4bba 100644 --- a/infra/deploy_ai_foundry.bicep +++ b/infra/deploy_ai_foundry.bicep @@ -156,6 +156,19 @@ resource aiHubProject 'Microsoft.MachineLearningServices/workspaces@2024-01-01-p } } +resource aiDeveloper 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { + name: '64702f94-c441-49e6-a78b-ef80e0188fee' +} + +resource aiDevelopertoAIProject 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(aiHubProject.id, aiDeveloper.id) + scope: resourceGroup() + properties: { + roleDefinitionId: aiDeveloper.id + principalId: aiHubProject.identity.principalId + } +} + resource tenantIdEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = { parent: keyVault name: 'TENANT-ID' diff --git a/infra/main.bicep b/infra/main.bicep index dd9253ce..fb912167 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -462,15 +462,6 @@ resource aiDeveloperAccessProj 'Microsoft.Authorization/roleAssignments@2022-04- } } -resource aiDevelopertoAIProject 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(aiServices.name, aiHubProject.id, aiDeveloper.id) - scope: aiServices - properties: { - roleDefinitionId: aiDeveloper.id - principalId: aiHubProject.identity.principalId - } -} - var cosmosAssignCli = 'az cosmosdb sql role assignment create --resource-group "${resourceGroup().name}" --account-name "${cosmos.name}" --role-definition-id "${cosmos::contributorRoleDefinition.id}" --scope "${cosmos.id}" --principal-id "${containerApp.identity.principalId}"' module managedIdentityModule 'deploy_managed_identity.bicep' = { From 9eee75a3dd2ea6760d28630b397a12b4899ab698 Mon Sep 17 00:00:00 2001 From: Abdul-Microsoft Date: Tue, 13 May 2025 19:03:19 +0530 Subject: [PATCH 3/3] fix: update main.json --- infra/main.json | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/infra/main.json b/infra/main.json index 5856f035..bca17cfa 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.35.1.17967", - "templateHash": "8798142813454376636" + "templateHash": "4778084734742710121" } }, "parameters": { @@ -546,20 +546,6 @@ "containerApp" ] }, - "aiDevelopertoAIProject": { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', variables('aiServicesName'))]", - "name": "[guid(variables('aiServicesName'), resourceId('Microsoft.MachineLearningServices/workspaces', format('{0}-aiproject', parameters('prefix'))), resourceId('Microsoft.Authorization/roleDefinitions', '64702f94-c441-49e6-a78b-ef80e0188fee'))]", - "properties": { - "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '64702f94-c441-49e6-a78b-ef80e0188fee')]", - "principalId": "[reference('aiHubProject', '2024-01-01-preview', 'full').identity.principalId]" - }, - "dependsOn": [ - "aiHubProject", - "aiServices" - ] - }, "kvault": { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -726,7 +712,7 @@ "_generator": { "name": "bicep", "version": "0.35.1.17967", - "templateHash": "12578060348489775267" + "templateHash": "14561153070486462167" } }, "parameters": { @@ -908,6 +894,18 @@ "[resourceId('Microsoft.MachineLearningServices/workspaces', variables('aiHubName'))]" ] }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.MachineLearningServices/workspaces', variables('aiProjectName')), resourceId('Microsoft.Authorization/roleDefinitions', '64702f94-c441-49e6-a78b-ef80e0188fee'))]", + "properties": { + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '64702f94-c441-49e6-a78b-ef80e0188fee')]", + "principalId": "[reference(resourceId('Microsoft.MachineLearningServices/workspaces', variables('aiProjectName')), '2024-01-01-preview', 'full').identity.principalId]" + }, + "dependsOn": [ + "[resourceId('Microsoft.MachineLearningServices/workspaces', variables('aiProjectName'))]" + ] + }, { "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2021-11-01-preview",