Authentication In Azureml

Copyright (c) Microsoft Corporation. All rights reserved.

Licensed under the MIT License.

Authentication in Azure Machine Learning

This notebook shows you how to authenticate to your Azure ML Workspace using

1. Interactive Login Authentication
2. Azure CLI Authentication
3. Managed Service Identity (MSI) Authentication
4. Service Principal Authentication
5. Token Authentication

The interactive authentication is suitable for local experimentation on your own computer. Azure CLI authentication is suitable if you are already using Azure CLI for managing Azure resources, and want to sign in only once. The MSI and Service Principal authentication are suitable for automated workflows, for example as part of Azure Devops build.

Interactive Authentication

Interactive authentication is the default mode when using Azure ML SDK.

When you connect to your workspace using workspace.from_config, you will get an interactive login dialog.

Also, if you explicitly specify the subscription ID, resource group and workspace name, you will get the dialog.

Note the user you're authenticated as must have access to the subscription and resource group. If you receive an error

	AuthenticationException: You don't have access to xxxxxx-xxxx-xxx-xxx-xxxxxxxxxx subscription. All the subscriptions that you have access to = ...

check that the you used correct login and entered the correct subscription ID.

In some cases, you may see a version of the error message containing text: All the subscriptions that you have access to = []

In such a case, you may have to specify the tenant ID of the Azure Active Directory you're using. An example would be accessing a subscription as a guest to a tenant that is not your default. You specify the tenant by explicitly instantiating InteractiveLoginAuthentication with Tenant ID as argument. The Tenant ID can be found, for example, from https://portal.azure.com under Azure Active Directory, Properties as Directory ID.

Despite having access to the workspace, you may sometimes see the following error when retrieving it:

	You are currently logged-in to xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx tenant. You don't have access to xxxxxx-xxxx-xxx-xxx-xxxxxxxxxx subscription, please check if it is in this tenant.

This error sometimes occurs when you are trying to access a subscription to which you were recently added. In this case, you need to force authentication again to avoid using a cached authentication token that has not picked up the new permissions. You can do so by setting force=true on the InteractiveLoginAuthentication() object's constructor as follows:

Azure CLI Authentication

If you have installed azure-cli package, and used az login command to log in to your Azure Subscription, you can use AzureCliAuthentication class.

Note that interactive authentication described above won't use existing Azure CLI auth tokens.

MSI Authentication

Note: MSI authentication is supported only when using SDK from Azure Virtual Machine. The code below will fail on local computer.

When using Azure ML SDK on Azure Virtual Machine (VM), you can use Managed Service Identity (MSI) based authentication. This mode allows the VM connect to the Workspace without storing credentials in the Python code.

As a prerequisite, enable System-assigned Managed Identity for your VM as described in Configure managed identities for Azure resources on a VM using the Azure portal.

Then, assign the VM access to your Workspace. For example from Azure Portal, navigate to your workspace, select Access Control (IAM), Add Role Assignment, specify Virtual Machine for Assign Access To dropdown, and select your VM's identity.

After completing these steps, you can use authenticate using MsiAuthentication instance.

Service Principal Authentication

When setting up a machine learning workflow as an automated process, we recommend using Service Principal Authentication. This approach decouples the authentication from any specific user login, and allows managed access control.

Note that you must have administrator privileges over the Azure subscription to complete these steps.

The first step is to create a service principal. First, go to Azure Portal, select Azure Active Directory and App Registrations. Then select +New application, give your service principal a name, for example my-svc-principal. You can leave other parameters as is.

Then click Register.

From the page for your newly created service principal, copy the Application ID and Tenant ID as they are needed later.

Then select Certificates & secrets, and +New client secret write a description for your key, and select duration. Then click Add, and copy the value of client secret to a secure location.

Finally, you need to give the service principal permissions to access your workspace. Navigate to Resource Groups, to the resource group for your Machine Learning Workspace.

Then select Access Control (IAM) and Add a role assignment. For Role, specify which level of access you need to grant, for example Contributor. Start entering your service principal name and once it is found, select it, and click Save.

Now you are ready to use the service principal authentication. For example, to connect to your Workspace, see code below and enter your own values for tenant ID, application ID, subscription ID, resource group and workspace.

We strongly recommended that you do not insert the secret password to code. Instead, you can use environment variables to pass it to your code, for example through Azure Key Vault, or through secret build variables in Azure DevOps. For local testing, you can for example use following PowerShell command to set the environment variable.

	$env:AZUREML_PASSWORD = "my-password"

See Register an application with the Microsoft identity platform quickstart for more details about application registrations.

Token Authentication

When token generation and its refresh needs to be outside on AML SDK, we recommend using Token Authentication. It can be used for getting token for AML or ARM audience. Thus giving more granular control over token generated.

This authentication class requires users to provide method get_token_for_audience which will be called to retrieve the token based on the audience passed.

Audience that is passed to get_token_for_audience can be ARM or AML. Exact value that will be passed as audience will depend on cloud and type for audience.

Token authentication object can be used to retrieve token for either AML or ARM audience, which can be used by other clients to authenticate to AML or ARM

Using Secrets in Remote Runs

Sometimes, you may have to pass a secret to a remote run, for example username and password to authenticate against external data source.

Azure ML SDK enables this use case through Key Vault associated with your workspace. The workflow for adding a secret is following.

On local computer:

1. Read in a local secret, for example from environment variable or user input. To keep them secret, do not insert secret values into code as hard-coded strings.
2. Obtain a reference to the keyvault
3. Add the secret name-value pair in the key vault.

The secret is then available for remote runs as shown further below.

Note: The azureml.core.keyvault.Keyvault is different from azure.keyvault library. It is intended as simplified wrapper for setting, getting and listing user secrets in Workspace Key Vault.

The set_secret method adds a new secret if one doesn't exist, or updates an existing one with new value.

You can list secret names you've added. This method doesn't return the values of the secrets.

You can retrieve the value of the secret, and validate that it matches the original value.

Note: This method returns the secret value. Take care not to write the the secret value to output.

In submitted runs on local and remote compute, you can use the get_secret method of Run instance to get the secret value from Key Vault.

The method gives you a simple shortcut: the Run instance is aware of its Workspace and Keyvault, so it can directly obtain the secret without you having to instantiate the Workspace and Keyvault within remote run.

Note: This method returns the secret value. Take care not to write the secret to output.

For example, let's create a simple script get_secret.py that gets the secret we set earlier. In an actual appication, you would use the secret, for example to access a database or other password-protected resource.

Then, submit the script as a regular script run, and find the obfuscated secret value in run output. You can use the same approach to other kinds of runs, such as Estimator ones.

Furthermore, you can set and get multiple secrets using set_secrets and get_secrets methods.