Merge pull request #3049 from MicrosoftDocs/repo_sync_working_branch

Taojunshen · web-flow · commit addc62aedfc8 · 2025-02-21T01:41:13.000+08:00
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-ai-docs (branch main)
diff --git a/articles/machine-learning/how-to-identity-based-service-authentication.md b/articles/machine-learning/how-to-identity-based-service-authentication.md
@@ -276,6 +276,38 @@ During cluster creation or when editing compute cluster details, in the **Advanc
 
 ---
 
+### Kubernetes Cluster Compute
+
+> [!NOTE]
+> Azure Machine Learning kubernetes clusters support only **one system-assigned identity** or **one user-assigned identities**, not both concurrently.
+
+The **default managed identity** is the system-assigned managed identity or the first user-assigned managed identity.
+
+
+During a run, there are two applications of an identity:
+
+- The system uses an identity to set up the user's storage mounts, container registry, and datastores.
+
+    * In this case, the system will use the default-managed identity.
+
+- You apply an identity to access resources from within the code for a submitted job:
+
+    * In the case of kubernetes cluster compute, the ManagedIdentityCredential object should be provided **without any client_id**.
+
+    For example, to retrieve a token for a datastore with the default-managed identity:
+
+    ```python
+    credential = ManagedIdentityCredential()
+    token = credential.get_token('https://storage.azure.com/')
+    ```
+
+To configure a kubernetes cluster compute, make sure that it has the [necessary AML extension deployed in it](https://learn.microsoft.com/azure/machine-learning/how-to-deploy-kubernetes-extension?view=azureml-api-2&tabs=deploy-extension-with-cli) and follow the documentation on [how to attach the kubernetes cluster compute to your AML workspace](https://learn.microsoft.com/azure/machine-learning/how-to-attach-kubernetes-to-workspace?view=azureml-api-2&tabs=cli).
+
+> [!IMPORTANT] 
+> For Training purposes (Machine Learning Jobs), the identity that is used is the one assigned to the Kubernetes Cluster Compute. However, in the case of inferencing (Managed Online Endpoints), the identity that is used is the one assigned to the endpoint. For more information see [How to Access Azure Resources from an Online Endpoint](https://learn.microsoft.com/azure/machine-learning/how-to-access-resources-from-endpoints-managed-identities?view=azureml-api-2&tabs=system-identity-cli).
+
+---
+
 ### Data storage
 
 When you create a datastore that uses **identity-based data access**, your Azure account ([Microsoft Entra token](/azure/active-directory/fundamentals/active-directory-whatis)) is used to confirm you have permission to access the storage service. In the **identity-based data access** scenario, no authentication credentials are saved. Only the storage account information is stored in the datastore.
@@ -413,6 +445,7 @@ The following steps outline how to set up data access with user identity for tra
 > [!IMPORTANT] 
 > During job submission with authentication with user identity enabled, the code snapshots are protected against tampering by checksum validation. If you have existing pipeline components and intend to use them with authentication with user identity enabled, you might need to re-upload them. Otherwise the job may fail during checksum validation. 
 
+
 ### Work with virtual networks
 
 By default, Azure Machine Learning can't communicate with a storage account that's behind a firewall or in a virtual network.
