Search code examples
azureazure-cognitive-services

Azure Language services is trying to create roles and I don't have the permission to do so

I am trying to deploy Azure Language Service (Custom text classification). However I cannot create the resource that I want because the service is trying to assign roles. The reason for this is that it has access to the storage account. Obviously I do not have the permissions to do so because I work for a company. Is there some way to circumvent this? Is there a way to create the resource without needing the permission of assigning roles?

As a side note: I do have the permission to create the resource to begin with

Solution

  • You have 2 options to use Custom text classification on Azure Language Service:

    1. use a newly created Azure Language Service resource and select "Custom text classification" during the setup of this resource
    2. use an existing Azure Language Service resource and enable "Custom text classification" on it (2 steps setup)

    In both cases, you will need the intervention of someone who can setup roles on resources, but the 2nd option needs less actions on their side (it's just role assignment versus resources creation for 1st option).

    1 step resource setup

    In the 1st case (I guess the one you did), the process needs to setup the roles as you mentioned, and you are blocked as you don't have this permission.

    2 steps setup

    Procedure

    In the 2nd case, you could:

    • first create the Azure Language Service without selecting "Custom text classification" (see details below)
    • enable managed-identity on this resource
    • then create a Storage Account for later use with it
    • ask the admin to set the permissions on your storage
    • turn on "Custom text classification" on your Azure Language resource

    Azure Language Service resource setup

    Create resource

    • Don't select "Custom text classification" feature during creation
    • Region: "West US 2" or "West Europe"
    • Pricing: "Standard S"

    Enable managed-identity

    In Azure Portal, under "Identity" tab, turn on managed identity (whether System Assigned or User Assigned, up to you) enable managed identity

    After clicking "On" and saving: managed identity enabled

    Storage account setup

    Create resource

    Create your storage in the same region as your Language Service resource: Storage account creation

    Setup permissions

    Permissions are details here in the documentation

    Your Azure blob storage account must have the below roles:

    • Your resource has the owner or contributor role on the storage account.
    • Your resource has the Storage blob data owner or Storage blob data contributor role on the storage account.
    • Your resource has the Reader role on the storage account.

    So you have to ask your "administrator" to go to the Storage account resource, "Access Control (IAM)" section, and add the roles to your previously enabled managed identity. By using the least privilege principle I would set the following roles:

    • Storage blob data contributor
    • Reader

    Example for Storage Blob Data Contributor setup: enter image description here

    Finalize Azure Language Service setup

    Go to Language Studio (https://language.cognitive.azure.com/) and choose your language service resource. Then, go to "Custom text classification". enter image description here

    Click "Create new project" and you will be guided to link your language service resource to your storage account: enter image description here

    Select the Storage account and click next.

    You can check in the "Activity Log" of your Language Service resource that it linked the Storage to this resource: enter image description here

    It added the "userOwnedStorage" property to the properties: enter image description here

    Then you're good to go!