This repo demonstrates how to create a python Azure Function leveraging a runtime environment based on a custom docker container.
The function itself also connects to an Azure ML workspace Model registry to download at runtime an ML model and offer a scoring function as a web service. A Service Principal is used to establish the authentication to Azure ML as a Reader role.
This setup enables full control of the runtime environment and therefore the deployment of any type of ML model to Azure Functions as a PaaS ML endpoint.
The conda.yaml file is basically taken almost as is from the Azure ML service output directory of an Auto ML run.
func init az-func-docker --worker-runtime python --docker func new --name score --template "HTTP trigger"
az group create -n az-func-docker --location westus2
az acr create -n azfuncdocker -g az-func-docker --sku Basic --admin-enabled true
az storage account create -n azfuncdocker -g az-func-docker --location westus2 --sku Standard_LRS
az functionapp plan create -n azfuncdocker -g az-func-docker --location westus2 --number-of-workers 1 --sku P1V2 --is-linux
az functionapp create -n azfuncdocker -g az-func-docker --storage-account azfuncdocker --plan azfuncdocker --deployment-container-image-name azfuncdocker.azurecr.io/az-func-docker:latest --functions-version 3
az functionapp deployment container config -n azfuncdocker -g az-func-docker --enable-cd --query CI_CD_URL --output tsv
Update the Dockerfile to use the '-appservice' version of the base image
Go to this URL to access the KUDU environment: https://az-func-docker.scm.azurewebsites.net/
SEE: https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/manage-azureml-service/authentication-in-azureml/authentication-in-azureml.ipynb
Copy the secret value before leaving the control pane. Save the value under "SERVICE_PRINCIPAL_PASSWORD" in local.settings.json
Copy the Tenant ID from the app overview pane into 'TENANT_ID' in local.settings.json
Copy the Application ID from the app overview pane into 'SERVICE_PRINCIPAL_ID' in local.settings.json
Setup your 'SUBSCRIPTION_ID' in the settings file.
Setup your Azure ML Workspace name and resource group under the 'AML_WORKSPACE_NAME' and 'AML_RESOURCE_GROUP' settings.
Go to your Azure ML Workspace control pane in the Azure portal, and click on 'Access Control', then 'Add a role assignment':
Role: Reader Select: azfuncdocker
Click Save. This provides the service principal the Reader role to your workspace so we can access the AML Model registry.
Go to the Azure portal and open up the Azure Function. Click on 'Configuration' and then create a new 'Application Setting' for each setting item created in the steps above. This should represent 6 new settings.
Click 'Save'.
NOTE: see 'local.settings.template.json' as a reference file. Your local.settings.json should look like this with filled in values for all the parameters defined coming from your Azure environment.
docker login azfuncdocker.azurecr.io
You can find the username and password in the Azure portal registry panel, under 'Access Keys'.
make build
Push the image to the Azure Registry, which will trigger a reboot of the Azure function against the new image
make push
func start
make run-docker-local