Bicep Azure 机器学习自定义角色分配

您需要做两件事：创建自定义角色并分配角色。模板如下：

1. 获取现有的机器学习工作区。
2. 创建与示例中的 json 匹配的自定义角色。
3. 将其分配给参数中指定的主体。

targetScope = 'resourceGroup'

@description('Required. The machine learning workspace name.')
param machineLearningWorkspaceName string

@description('Required. The principal type to assign the custom role to.')
@allowed([
  'Device'
  'ForeignGroup'
  'Group'
  'ServicePrincipal'
  'User'
])
param roleAssignmentPrincipalType string

@description('Required. The principal id of the principal to assign the custom role to.')
param roleAssignmentPrincipalId string

// Get the existing machine learning workspace.
resource machineLearningWorkspace 'Microsoft.MachineLearning/workspaces@2019-10-01' existing = {
  name: machineLearningWorkspaceName
}

// Create the custom role definition.
resource dataScientistCustomRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
  name: 'mlw-custom-role'
  properties: {
    roleName: 'Custom - Data Scientist'
    description: 'Can run experiments but can\'t create or delete compute.'
    permissions: [
      {
        actions: ['*']
        notActions: [
          'Microsoft.MachineLearningServices/workspaces/*/delete'
          'Microsoft.MachineLearningServices/workspaces/write'
          'Microsoft.MachineLearningServices/workspaces/computes/*/write'
          'Microsoft.MachineLearningServices/workspaces/computes/*/delete'
          'Microsoft.Authorization/*/write'
        ]
      }
    ]
    assignableScopes: [
      machineLearningWorkspace.id
    ]
  }
}

// Assign the role to a principal.
resource dataScientistCustomRoleRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: 'mlw-custom-role-assignment'
  scope: machineLearningWorkspace
  properties: {
    principalId: roleAssignmentPrincipalId
    principalType: roleAssignmentPrincipalType
    roleDefinitionId: dataScientistCustomRoleDefinition.id
  }
}