0

I need to secure my ML endpoints in azure based on user credentials and user accesses.

Right now, we are authorising based on service principal account but now we want to test for each user.

I can see the documentation for REST API to get the access_token to make Rest API requests to ARM (azure resource manager) for a service principal account but not for any azure user.

So any pointers on whether this can be achieved or not?

so, basically what I am trying to do is this :

  1. when a user tries to access the endpoint, its his credentials which needs to be validated whether he can access the API or not,
  2. so what I see it that any number of users can be added to a workspace but not all user might have access to the scoring endpoint request.
  3. in that case, only allowed user should be able to make the request and other users should be denied.
Onki
  • 1,879
  • 6
  • 38
  • 58

1 Answers1

2

To generate access token based on user credentials, you can make use of ROPC flow.

While calling API with that token, validation will be done depending on Azure user's roles or permissions.

I tried to reproduce the same in my environment and got below results:

I created one Azure AD application and granted consent to API permissions like below:

enter image description here

I got the access token successfully via Postman using user credentials with parameters like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

client_id:44xxxx450-xxxx-4be1-axxb-e7xxxxxxxx
grant_type:password
scope:https://management.azure.com/.default
username:sricontri@tenant.onmicrosoft.com
password:xxxxxxxxx

Response:

enter image description here

Using the above access token, user can make Rest API requests to Azure Resource Manager successfully like below:

//To fetch list of resource groups present in the subscription
GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups?api-version=2021-04-01

Response:

enter image description here

Please note that, the above user has Contributor role on the subscription that allowed user to make the request.

Now, I generated token for different Azure user via Postman in the same way as below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

client_id:44xxxx450-xxxx-4be1-axxb-e7xxxxxxxx
grant_type:password
scope:https://management.azure.com/.default
username:sridemo@tenant.onmicrosoft.com
password:xxxxxxxxx

Response:

enter image description here

When the user included above token to make the same request, access is denied with 403 Forbidden error like below:

GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups?api-version=2021-04-01

Response:

enter image description here

Please note that, the above user doesn't have required roles or permissions to access Azure resources that denied the request.

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • Wow, you narrowed down my pain to a greater extent.. thanks Sridevi.. I will drill down on this more. and get back to you if I have more questions.. thanks – Onki Oct 11 '22 at 06:36
  • @Sirdevi, I can see that you have given contributor access to the user on the subscription. Can we narrow down the access more? like if the subcription has 3 workspaces, then user should be allowed to access only 1 workspace which he has created. Also, lets say if the user has 1 workspace which is being shared by mutliple users, then how can we restrict the access to endpoints differently for each user? any pointers on the documentation will be helpful,, if you know any, – Onki Oct 11 '22 at 06:48
  • You can restrict access by assigning role at **workspace** scope instead of subscription level based on your requirement. Please refer [this](https://learn.microsoft.com/en-us/azure/machine-learning/how-to-assign-roles?tabs=labeler). – Sridevi Oct 11 '22 at 07:05