# Access Azure resources from an online endpoint with a user-assigned managed identity

Additional packages are required for this example including 
* azure.mgmt.msi
* azure.mgmt.storage

Install them with the following code:

In [None]:
!pip install azure-mgmt-msi
!pip install azure-mgmt-storage

## 1. Configure variables

### 1.1 Assign variables for the workspace and deployment

In [None]:
subscription_id = "<SUBSCRIPTION_ID>"
resource_group = "<RESOURCE_GROUP>"
workspace_name = "<AML_WORKSPACE_NAME>"

endpoint_name = "<ENDPOINT_NAME>"

### 1.2 Specify the storage details and file to access
A text file is located in the `managed-identities` folder called `hello.txt`. 

In [None]:
storage_account_name = "<STORAGE_ACCOUNT_NAME>"
storage_container_name = "<CONTAINER_TO_ACCESS>"
file_name = "<FILE_TO_ACCESS>"

### 1.3 Decide on the name of your user identity:

In [None]:
uai_name = "<USER_ASSIGNED_IDENTITY_NAME>"

### 1.4 Retrieve the workspace location:

In [None]:
from azure.ai.ml import MLClient
from azure.identity import DefaultAzureCredential, AzureCliCredential
from azure.ai.ml.entities import (
    ManagedOnlineDeployment,
    ManagedOnlineEndpoint,
    Model,
    CodeConfiguration,
    Environment,
)

credential = AzureCliCredential()
ml_client = MLClient(credential, subscription_id, resource_group, workspace_name)

workspace_location = ml_client.workspaces.get(workspace_name).location

## 2. Configure deployment

### 2.1 Define an endpoint configuration

In [None]:
endpoint = ManagedOnlineEndpoint(name=endpoint_name, auth_mode="key")

### 2.2 Define a deployment configuration

In [None]:
deployment = ManagedOnlineDeployment(
    name="blue",
    endpoint_name=endpoint_name,
    model=Model(path="../../model-1/model/"),
    code_configuration=CodeConfiguration(
        code="../../model-1/onlinescoring/", scoring_script="score_managedidentity.py"
    ),
    environment=Environment(
        conda_file="../../model-1/environment/conda.yml",
        image="mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1",
    ),
    instance_type="Standard_DS2_v2",
    instance_count=1,
    environment_variables={
        "STORAGE_ACCOUNT_NAME": storage_account_name,
        "STORAGE_CONTAINER_NAME": storage_container_name,
        "FILE_NAME": file_name,
        # We will update this after creating an identity
        "UAI_CLIENT_ID": "uai_client_id_place_holder",
    },
)

## 3. Create the managed identity

### 3.1 Get a handle to the `ManagedServiceIdentityClient`

In [None]:
from azure.identity import DefaultAzureCredential
from azure.mgmt.msi import ManagedServiceIdentityClient
from azure.mgmt.msi.models import Identity

credential = DefaultAzureCredential()
msi_client = ManagedServiceIdentityClient(
    subscription_id=subscription_id,
    credential=credential,
)

### 3.2 Create the identity

In [None]:
msi_client.user_assigned_identities.create_or_update(
    resource_group_name=resource_group,
    resource_name=uai_name,
    parameters=Identity(location=workspace_location),
)

### 3.3 Retrieve the identity object

In [None]:
uai_identity = msi_client.user_assigned_identities.get(
    resource_group_name=resource_group,
    resource_name=uai_name,
)

## 4. Create storage account and container

### 4.1 Get a handle to the `StorageManagementclient`

In [None]:
from azure.identity import DefaultAzureCredential, AzureCliCredential
from azure.mgmt.storage import StorageManagementClient
from azure.storage.blob import ContainerClient
from azure.mgmt.storage.models import Sku, StorageAccountCreateParameters, BlobContainer

credential = AzureCliCredential()
storage_client = StorageManagementClient(
    credential=credential, subscription_id=subscription_id
)

### 4.2 Define and create the storage account

In [None]:
storage_account_parameters = StorageAccountCreateParameters(
    sku=Sku(name="Standard_LRS"), kind="Storage", location=workspace_location
)

poller = storage_client.storage_accounts.begin_create(
    resource_group_name=resource_group,
    account_name=storage_account_name,
    parameters=storage_account_parameters,
)

poller.wait()

storage_account = poller.result()

### 4.3 Create a blob container

In [None]:
blob_container = storage_client.blob_containers.create(
    resource_group_name=resource_group,
    account_name=storage_account_name,
    container_name=storage_container_name,
    blob_container=BlobContainer(),
)

### 4.4 Get the storage account key and create a `ContainerClient`

In [None]:
res = storage_client.storage_accounts.list_keys(
    resource_group_name=resource_group,
    account_name=storage_account_name,
)
key = res.keys[0].value

container_client = ContainerClient(
    account_url=storage_account.primary_endpoints.blob,
    container_name=storage_container_name,
    credential=key,
)

### 4.5 Upload a blob to the container

In [None]:
file_path = "hello.txt"
with open(file_path, "rb") as f:
    container_client.upload_blob(name=file_name, data=f.read())

## 5. Create an online endpoint

In [None]:
endpoint = ml_client.online_endpoints.begin_create_or_update(endpoint)

In [None]:
# Update its identity
endpoint.identity = endpoint.identity.from_dict(
    {"type": "UserAssigned", "user_assigned_identities": {uai_identity.id: {}}}
)

endpoint = ml_client.online_endpoints.begin_create_or_update(endpoint)

In [None]:
endpoint.identity.as_dict()

## 6. Give access permission to the managed identity

### 6.1 Get a handle to the AuthorizationManagementClient

In [None]:
from azure.mgmt.authorization import AuthorizationManagementClient
from azure.mgmt.authorization.models import (
    RoleAssignment,
    RoleDefinition,
    RoleAssignmentCreateParameters,
    RoleAssignmentProperties,
    RoleAssignmentPropertiesWithScope,
)
import uuid

auth_client = AuthorizationManagementClient(
    credential=credential, subscription_id=subscription_id
)

### 6.2 Get User-assigned identity details

In [None]:
uai_identity = msi_client.user_assigned_identities.get(
    resource_group_name=resource_group, resource_name=uai_name
)
uai_principal_id = uai_identity.principal_id
uai_client_id = uai_identity.client_id

### 6.3 Give permission to the user storage account

In [None]:
role_name = "Storage Blob Data Reader"
scope = storage_account.id

role_defs = auth_client.role_definitions.list(scope=scope)
role_def = next((r for r in role_defs if r.role_name == role_name))

auth_client.role_assignments.create(
    scope=scope,
    role_assignment_name=uuid.uuid4(),
    parameters=RoleAssignmentProperties(
        role_definition_id=role_def.id, principal_id=uai_principal_id
    ),
)

### 6.4 Retrieve the workspace and container registry objects

In [None]:
workspace = ml_client.workspaces.get(workspace_name)
container_registry = workspace.container_registry

### 6.5 Give permission to the container registry

In [None]:
role_name = "AcrPull"
scope = container_registry

role_defs = auth_client.role_definitions.list(scope=scope)
role_def = next((r for r in role_defs if r.role_name == role_name))

auth_client.role_assignments.create(
    scope=scope,
    role_assignment_name=uuid.uuid4(),
    parameters=RoleAssignmentProperties(
        role_definition_id=role_def.id, principal_id=uai_principal_id
    ),
)

### 6.6  Give permission to the workspace storage account

In [None]:
role_name = "Storage Blob Data Reader"
scope = workspace.storage_account

role_defs = auth_client.role_definitions.list(scope=scope)
role_def = next((r for r in role_defs if r.role_name == role_name))

auth_client.role_assignments.create(
    scope=scope,
    role_assignment_name=uuid.uuid4(),
    parameters=RoleAssignmentProperties(
        role_definition_id=role_def.id, principal_id=uai_principal_id
    ),
)

## 7. Create a deployment with your configuration

### 7.1 Update the deployment configuration with the UAI Client ID

In [None]:
deployment.environment_variables['UAI_CLIENT_ID'] = uai_client_id

### 7.2 Create the deployment

In [None]:
deployment = ml_client.online_deployments.begin_create_or_update(deployment)

### 7.3 Check the status of the deployment

In [None]:
deployment.as_dict()

### 7.4 Get the deployment logs

In [None]:
ml_client.online_deployments.get_logs(deployment.name, deployment.endpoint_name, 1000)

## 8. Confirm your endpoint deployed successfully

In [None]:
sample_data = "../../model-1/sample-request.json"
ml_client.online_endpoints.invoke(endpoint_name=endpoint_name, request_file=sample_data)

## 9. Delete the endpoint and storage account

### 9.1 Delete the endpoint

In [None]:
ml_client.online_endpoints.begin_delete(endpoint_name)

### 9.2 Delete the storage account

In [None]:
storage_client.storage_accounts.delete(
    resource_group_name=resource_group, account_name=storage_account_name
)