I need to secure my ML endpoints in azure based on user credentials and user accesses.
Right now, we are authorising based on service principal account but now we want to test for each user.
I can see the documentation for REST API to get the access_token to make Rest API requests to ARM (azure resource manager) for a service principal account but not for any azure user.
So any pointers on whether this can be achieved or not?
so, basically what I am trying to do is this :
- when a user tries to access the endpoint, its his credentials which needs to be validated whether he can access the API or not,
- so what I see it that any number of users can be added to a workspace but not all user might have access to the scoring endpoint request.
- in that case, only allowed user should be able to make the request and other users should be denied.
To generate access token based on user credentials, you can make use of
ROPC flow.While calling API with that token, validation will be done depending on Azure user's roles or permissions.
I tried to reproduce the same in my environment and got below results:
I created one Azure AD application and granted consent to API permissions like below:
I got the access token successfully via Postman using user credentials with
parameterslike below:Response:
Using the above access token, user can make Rest API requests to Azure Resource Manager successfully like below:
Response:
Please note that, the above user has
Contributorrole on the subscription that allowed user to make the request.Now, I generated token for different Azure user via Postman in the same way as below:
Response:
When the user included above token to make the same request, access is denied with
403 Forbiddenerror like below:Response:
Please note that, the above user doesn't have required
rolesorpermissionsto access Azure resources that denied the request.