Skip to content

Commit 9be8c0a

Browse files
Add Foundry User and Cognitive Services User RBAC roles for processor
Adds Foundry User and Cognitive Services User role assignments for the processor container app on AI Foundry, for both new and existing project deployment paths. Required for processor to access OpenAI Responses API. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 880d375 commit 9be8c0a

1 file changed

Lines changed: 46 additions & 0 deletions

File tree

infra/avm/modules/identity/role-assignments.bicep

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,52 @@ module processorAppOpenAIUserExisting './cross-scope-role-assignment.bicep' = if
167167
}
168168
}
169169

170+
// Processor App Service → Foundry User on AI Foundry (new project, same RG)
171+
resource processorAppAiUserAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!useExistingAIProject && !empty(aiFoundryResourceId) && !empty(processorAppServicePrincipalId)) {
172+
name: guid(solutionName, aiFoundryAccount.id, processorAppServicePrincipalId, roleDefinitions.azureAiUser)
173+
scope: aiFoundryAccount
174+
properties: {
175+
principalId: processorAppServicePrincipalId
176+
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.azureAiUser)
177+
principalType: 'ServicePrincipal'
178+
}
179+
}
180+
181+
// Processor App Service → Foundry User on existing AI Foundry (cross-scope)
182+
module processorAppAiUserExisting './cross-scope-role-assignment.bicep' = if (useExistingAIProject && !empty(processorAppServicePrincipalId)) {
183+
name: 'assignAiUserRoleToProcessorExisting'
184+
scope: resourceGroup(existingAIFoundrySubscription, existingAIFoundryResourceGroup)
185+
params: {
186+
principalId: processorAppServicePrincipalId
187+
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.azureAiUser)
188+
roleAssignmentName: guid(solutionName, existingAIFoundryName, processorAppServicePrincipalId, roleDefinitions.azureAiUser)
189+
aiFoundryName: existingAIFoundryName
190+
}
191+
}
192+
193+
// Processor App Service → Cognitive Services User on AI Foundry (new project, same RG)
194+
resource processorAppCognitiveServicesUserAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!useExistingAIProject && !empty(aiFoundryResourceId) && !empty(processorAppServicePrincipalId)) {
195+
name: guid(solutionName, aiFoundryAccount.id, processorAppServicePrincipalId, roleDefinitions.cognitiveServicesUser)
196+
scope: aiFoundryAccount
197+
properties: {
198+
principalId: processorAppServicePrincipalId
199+
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.cognitiveServicesUser)
200+
principalType: 'ServicePrincipal'
201+
}
202+
}
203+
204+
// Processor App Service → Cognitive Services User on existing AI Foundry (cross-scope)
205+
module processorAppCognitiveServicesUserExisting './cross-scope-role-assignment.bicep' = if (useExistingAIProject && !empty(processorAppServicePrincipalId)) {
206+
name: 'assignCognitiveServicesUserRoleToProcessorExisting'
207+
scope: resourceGroup(existingAIFoundrySubscription, existingAIFoundryResourceGroup)
208+
params: {
209+
principalId: processorAppServicePrincipalId
210+
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.cognitiveServicesUser)
211+
roleAssignmentName: guid(solutionName, existingAIFoundryName, processorAppServicePrincipalId, roleDefinitions.cognitiveServicesUser)
212+
aiFoundryName: existingAIFoundryName
213+
}
214+
}
215+
170216
// ============================================================================
171217
// 2. SEARCH SERVICE ROLE ASSIGNMENTS
172218
// AI Project and Backend identities → AI Search

0 commit comments

Comments
 (0)