Skip to content

Azure Machine Learning workspaces should use user-assigned managed identity#

Security · Machine Learning · Rule · 2023_12

ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity.

Description#

Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity.

Recommendation#

Consider using a User-Assigned Managed Identity, as part of a broader security and lifecycle management strategy.

Examples#

Configure with Azure template#

To deploy an ML - Workspace that passes this rule:

  • Set the identity.type property to UserAssigned.
  • Reference the identity with identity.userAssignedIdentities.
  • Set the properties.primaryUserAssignedIdentity property value to the User-Assigned Managed Identity.

For example:

Azure Template snippet
{
  "type": "Microsoft.MachineLearningServices/workspaces",
  "apiVersion": "2023-04-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "basic",
    "tier": "basic"
  },
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'example'))]": {}
    }
  },
  "properties": {
    "friendlyName": "[parameters('friendlyName')]",
    "keyVault": "[resourceId('Microsoft.KeyVault/vaults', 'example')]",
    "storageAccount": "[resourceId('Microsoft.Storage/storageAccounts', 'example')]",
    "applicationInsights": "[resourceId('Microsoft.Insights/components', 'example')]",
    "containerRegistry": "[resourceId('Microsoft.ContainerRegistry/registries', 'example')]",
    "publicNetworkAccess": "Disabled",
    "primaryUserAssignedIdentity": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'example')]"
  }
}

Configure with Bicep#

To deploy an ML - Workspace that passes this rule:

  • Set the identity.type property to UserAssigned.
  • Reference the identity with identity.userAssignedIdentities.
  • Set the properties.primaryUserAssignedIdentity property value to the User-Assigned Managed Identity.

For example:

Azure Bicep snippet
resource workspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = {
  name: name
  location: location
  sku: {
    name: 'basic'
    tier: 'basic'
  }
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${identity.id}': {}
    }
  }
  properties: {
    friendlyName: friendlyName
    keyVault: keyVault.id
    storageAccount: storageAccount.id
    applicationInsights: appInsights.id
    containerRegistry: containerRegistry.id
    publicNetworkAccess: 'Disabled'
    primaryUserAssignedIdentity: identity.id
  }
}

Comments