Skip to content

fix: grant eval RBAC to Foundry managed identities#229

Merged
placerda merged 1 commit into
developfrom
fix/foundry-managed-identity-rbac
Jun 1, 2026
Merged

fix: grant eval RBAC to Foundry managed identities#229
placerda merged 1 commit into
developfrom
fix/foundry-managed-identity-rbac

Conversation

@placerda
Copy link
Copy Markdown
Contributor

@placerda placerda commented Jun 1, 2026

What

Fixes the remaining step-17 RBAC gap discovered during the prompt-agent quickstart recording. v0.3.6 correctly warned when graders errored, but the root cause was broader than user RBAC: cloud eval server-side calls can authenticate as Foundry/Azure AI managed identities on the AI Services account and child Foundry project.

Changes

  • Update prompt-agent, hosted-agent, and end-to-end tutorials to grant Cognitive Services OpenAI User to:
    • the signed-in user, and
    • every managed identity in the Foundry resource group.
  • Update the packaged �gentops-eval skill Step 0.5 to perform the same idempotent managed-identity role assignment automatically.
  • Sync the plugin skill copy.
  • Add changelog entry.

Validation

  • Re-ran the actual tutorial step 17 after assigning the managed-identity RBAC: Threshold status: PASSED.
  • python -m pytest tests/unit/test_skills.py tests/unit/test_skills_sync.py -q -> 64 passed.
  • python -m pytest tests/ -x -q -> 836 passed, 1 skipped.

@placerda
fix: grant eval RBAC to Foundry managed identities
ce1ee4c 
Cloud evaluations run server-side and some agent or grader calls authenticate as the managed identities on the AI Services account and child Foundry project, not only as the signed-in user. Granting Cognitive Services OpenAI User only to the user can still produce grader AuthenticationError warnings/failures even when every computable threshold passes.

Update the prompt-agent, hosted-agent, and end-to-end tutorials plus the packaged agentops-eval skill to assign the data-plane role to all managed identities in the Foundry resource group as well as the user. Sync the plugin skill copy and document the fix in the changelog.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@placerda placerda merged commit b5cdb2d into develop Jun 1, 2026
12 checks passed
@placerda placerda deleted the fix/foundry-managed-identity-rbac branch June 1, 2026 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@placerda