Managed Identity Not Used for Internal Storage Operations During az ml job create #31690
Description
Describe the bug
I am encountering an issue when using user assigned managed identity-based authentication with the az ml job create command. While the job submission itself respects the managed identity, internal operations—such as copying the code or YAML file to the associated storage account—do not appear to follow the same authentication mechanism.
Instead, the CLI attempts to generate a SAS token, which is blocked on our storage account due to security policies. This results in a failure during job creation.
Related command
az ml job create --file .\test.yml --debug
Errors
Unauthorised to generate the token.
Please note storage is enabled only with RBAC based on access and key based access is disabled.
All internal operations, including storage access, should consistently use the configured managed identity without falling back to SAS token generation.
Issue script & Debug output
TBD
Expected behavior
All internal operations, including storage access, should consistently use the configured managed identity without falling back to SAS token generation.
Environment Summary
azure-cli 2.58.0
ml 2.37.1
azure-devops 1.0.0
Additional context
Actual Behavior: The CLI attempts to generate a SAS token for storage access, which fails due to policy restrictions.
Request: Please ensure that managed identity is used consistently for all operations, including internal storage interactions, when it is configured as the authentication method.