add permission assignment option to AzureContainerInstance

python/powerlift/powerlift/executors/azure_ci.py

@@ -35,6 +35,7 @@ def __init__(
         # TODO: change default to mcr.microsoft.com/devcontainers/python:latest
         image: str = "mcr.microsoft.com/devcontainers/python:latest",
         docker_db_uri: Optional[str] = None,
+        resource_uris: Optional[List[str]] = None,
         max_undead: int = 20,
         delete_on_complete: bool = True,
     ):
@@ -56,6 +57,7 @@ def __init__(
             mem_size_gb (int, optional): RAM size in GB per container. Defaults to 2.
             image (str, optional): Image to execute. Defaults to "mcr.microsoft.com/devcontainers/python:latest".
             docker_db_uri (str, optional): Database URI for container. Defaults to None.
+            resource_uris (List[str], optional): Azure resources to grant contributor access permissions to.
             max_undead (int): maximum number of containers that are allowed to be left alive if there is an error during initialization. Higher numbers increase the speed of initialization, but might incur higher cost if any zombies escape.
             delete_on_complete (bool, optional): Delete group containers after completion. Defaults to True.
         """
@@ -71,6 +73,7 @@ def __init__(
         self._delete_on_complete = delete_on_complete
 
         self._docker_db_uri = docker_db_uri
+        self._resource_uris = resource_uris
         self._azure_json = {
             "tenant_id": azure_tenant_id,
             "client_id": azure_client_id,
@@ -104,6 +107,7 @@ def submit(self, experiment_id, timeout=None):
             experiment_id,
             self._n_instances,
             uri,
+            self._resource_uris,
             timeout,
             self._image,
             self._azure_json,

python/powerlift/powerlift/run/azure_ci.py

@@ -1,14 +1,15 @@
 """This is called to run a trial by worker nodes (local / remote)."""
 
 
-def assign_delete_permissions(
+def assign_contributor_permissions(
     aci_client,
     auth_client,
     max_undead,
     credential,
     subscription_id,
     client_id,
     resource_group_name,
+    resource_uris,
     container_groups,
 ):
     from heapq import heappush, heappop
@@ -63,6 +64,11 @@ def assign_delete_permissions(
             auth_client.role_assignments.create(
                 scope, str(uuid.uuid4()), role_assignment_params1
             )
+            if resource_uris is not None:
+                for resource_uri in resource_uris:
+                    auth_client.role_assignments.create(
+                        resource_uri, str(uuid.uuid4()), role_assignment_params1
+                    )
             auth_client.role_assignments.create(
                 scope, str(uuid.uuid4()), role_assignment_params2
             )
@@ -79,6 +85,7 @@ def run_azure_process(
     experiment_id,
     n_instances,
     uri,
+    resource_uris,
     timeout,
     image,
     azure_json,
@@ -454,25 +461,27 @@ def run_azure_process(
 
         container_group_names.add(container_group_name)
         heappush(container_groups, (datetime.now(), container_group_name, started))
-        aci_client, auth_client = assign_delete_permissions(
+        aci_client, auth_client = assign_contributor_permissions(
             aci_client,
             auth_client,
             max_undead,
             credential,
             subscription_id,
             client_id,
             resource_group_name,
+            resource_uris,
             container_groups,
         )
 
-    assign_delete_permissions(
+    assign_contributor_permissions(
         aci_client,
         auth_client,
         0,
         credential,
         subscription_id,
         client_id,
         resource_group_name,
+        resource_uris,
         container_groups,
     )