enable entra id authentication with AKS

Author: jgbradley1

docker/Dockerfile-backend

@@ -20,11 +20,6 @@ RUN cd backend \
 # download all nltk data that graphrag requires
 RUN python -m nltk.downloader punkt averaged_perceptron_tagger maxent_ne_chunker words wordnet
 
-# Note: we temporarily patch the adlfs library to enable use of managed identity. A PR has been submitted to the adlfs library.
-# See https://github.com/fsspec/adlfs/pull/480
-# TODO: remove this once PR has been merged and a new version released
-RUN sed -i '/self.credential = credential/a\ \ \ \ \ \ \ \ if kwargs.get("account_host"): self.account_host = kwargs.get("account_host")' /usr/local/lib/python3.10/site-packages/adlfs/spec.py
-
 WORKDIR /backend
 EXPOSE 80
 CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "80"]

infra/core/aks/aks.bicep

@@ -62,6 +62,8 @@ param ingressRoleAssignments array = []
 @description('Array of objects with fields principalType, roleDefinitionId')
 param systemRoleAssignments array = []
 
+@description('Array of object ids that will have admin role of the cluster')
+param clusterAdmins array = []
 
 resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
   name: privateDnsZoneName
@@ -76,6 +78,11 @@ resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' = {
   properties: {
     enableRBAC: true
     dnsPrefix: !empty(dnsPrefix) ? dnsPrefix : toLower(clusterName)
+    aadProfile: {
+      managed: true
+      enableAzureRBAC: true
+      adminGroupObjectIDs: clusterAdmins
+    }
     addonProfiles: {
       omsagent: {
         enabled: true

infra/deploy.sh

@@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 #!/usr/bin/env bash
 
-# set -ux # uncomment this line to debug
+set -ux # uncomment this line to debug
 
 aksNamespace="graphrag"
 
@@ -297,6 +297,16 @@ getAksCredentials () {
     printf "Getting AKS credentials... "
     az aks get-credentials -g $rg -n $aks --overwrite-existing 2>&1
     exitIfCommandFailed $? "Error getting AKS credentials, exiting..."
+    kubelogin convert-kubeconfig -l azurecli
+    exitIfCommandFailed $? "Error logging into AKS, exiting..."
+    # get principal/object id of the signed in user
+    local principalId=$(az ad signed-in-user show --output json | jq -r .id)
+    exitIfValueEmpty $principalId "Principal ID of deployer not found"
+    # assign "Azure Kubernetes Service RBAC Admin" role to deployer
+    local scope=$(az aks show --resource-group $rg --name $aks --query "id" -o tsv)
+    exitIfValueEmpty "$scope" "Unable to get AKS scope, exiting..."
+    az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --assignee-object-id $principalId --scope $scope
+    exitIfCommandFailed $? "Error assigning 'Azure Kubernetes Service RBAC Cluster Admin' role to deployer, exiting..."
     kubectl config set-context $aks --namespace=$aksNamespace
     printf "Done\n"
 }
@@ -326,6 +336,9 @@ deployAzureResources () {
     echo "Deploying Azure resources..."
     local SSH_PUBLICKEY=$(jq -r .publicKey <<< $SSHKEY_DETAILS)
     exitIfValueEmpty "$SSH_PUBLICKEY" "Unable to read ssh publickey, exiting..."
+    # get principal/object id of the signed in user
+    local deployerPrincipalId=$(az ad signed-in-user show --output json | jq -r .id)
+    exitIfValueEmpty $deployerPrincipalId "Principal ID of deployer not found"
     local datetime="`date +%Y-%m-%d_%H-%M-%S`"
     local deployName="graphrag-deploy-$datetime"
     echo "Deployment name: $deployName"
@@ -342,6 +355,7 @@ deployAzureResources () {
         --parameters "publisherEmail=$PUBLISHER_EMAIL" \
         --parameters "enablePrivateEndpoints=$ENABLE_PRIVATE_ENDPOINTS" \
         --parameters "acrName=$CONTAINER_REGISTRY_NAME" \
+        --parameters "deployerPrincipalId=$deployerPrincipalId" \
         --output json)
     # errors in deployment may not be caught by exitIfCommandFailed function so we also check the output for errors
     exitIfCommandFailed $? "Error deploying Azure resources..."
@@ -579,7 +593,7 @@ grantDevAccessToAzureResources() {
 
     # get principal/object id of the signed in user
     local principalId=$(az ad signed-in-user show --output json | jq -r .id)
-    exitIfValueEmpty $principalId "Principal ID not found"
+    exitIfValueEmpty $principalId "Principal ID of deployer not found"
 
     # assign storage account roles
     local storageAccountName=$(az storage account list --resource-group $RESOURCE_GROUP --output json | jq -r .[0].name)

infra/main.bicep

@@ -29,6 +29,9 @@ param graphRagName string
 @description('Cloud region for all resources')
 param location string = resourceGroup().location
 
+@description('Principal/Object ID of the deployer. Will be used to assign admin roles to the AKS cluster.')
+param deployerPrincipalId string
+
 @minLength(1)
 @description('Name of the publisher of the API Management instance.')
 param publisherName string
@@ -188,6 +191,7 @@ module aks 'core/aks/aks.bicep' = {
     location: location
     graphragVMSize: 'standard_d8s_v5'           // 8 vcpu, 32 GB memory
     graphragIndexingVMSize: 'standard_e8s_v5'   // 8 vcpus, 64 GB memory
+    clusterAdmins: ['${deployerPrincipalId}']
     sshRSAPublicKey: aksSshRsaPublicKey
     logAnalyticsWorkspaceId: log.outputs.id
     subnetId: vnet.properties.subnets[1].id // aks subnet