You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -23,7 +23,7 @@ Batch endpoints support Azure Active Directory authentication, or `aad_token`. T
23
23
24
24
## How authentication works
25
25
26
-
To invoke a batch endpoint, the user must present a valid Azure Active Directory token representing a security principal. This principal can be a user principal or a service principal. In any case, once an endpoint is invoked, a batch deployment job is created under the identity associated with the token. The identity needs the following permissions in order to successfully create a job:
26
+
To invoke a batch endpoint, the user must present a valid Azure Active Directory token representing a security principal. This principal can be a __user principal__ or a __service principal__. In any case, once an endpoint is invoked, a batch deployment job is created under the identity associated with the token. The identity needs the following permissions in order to successfully create a job:
27
27
28
28
> [!div class="checklist"]
29
29
> * Read batch endpoints/deployments.
@@ -41,99 +41,149 @@ You can either use one of the [built-in security roles](../../role-based-access-
41
41
42
42
The following examples show different ways to start batch deployment jobs using different types of credentials:
43
43
44
+
> [!IMPORTANT]
45
+
> When working on a private link-enabled workspaces, batch endpoints can't be invoked from the UI in Azure ML studio. Please use the Azure ML CLI v2 instead for job creation.
46
+
44
47
### Running jobs using user's credentials
45
48
49
+
In this case, we want to execute a batch endpoint using the identity of the user currently logged in. Follow these steps:
50
+
51
+
> [!NOTE]
52
+
> When working on Azure ML studio, batch endpoints/deployments are always executed using the identity of the current user logged in.
53
+
46
54
# [Azure ML CLI](#tab/cli)
47
55
48
-
Use the Azure CLI to log in using either interactive or device code authentication:
56
+
1.Use the Azure CLI to log in using either interactive or device code authentication:
49
57
50
-
```azurecli
51
-
az login
52
-
```
58
+
```azurecli
59
+
az login
60
+
```
53
61
54
-
Once authenticated, use the following command to run a batch deployment job:
62
+
1. Once authenticated, use the following command to run a batch deployment job:
55
63
56
-
```azurecli
57
-
az ml batch-endpoint invoke --name $ENDPOINT_NAME --input https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data
58
-
```
64
+
```azurecli
65
+
az ml batch-endpoint invoke --name $ENDPOINT_NAME --input https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data
66
+
```
59
67
60
68
# [Azure ML SDK for Python](#tab/sdk)
61
69
62
-
Use the Azure ML SDK for Python to log in using either interactive or device authentication:
70
+
1. Use the Azure ML SDK for Python to log in using either interactive or device authentication:
63
71
64
-
```python
65
-
from azure.ai.ml import MLClient
66
-
from azure.identity import InteractiveAzureCredentials
72
+
```python
73
+
from azure.ai.ml import MLClient
74
+
from azure.identity import InteractiveAzureCredentials
Jobs are always started using the identity of the user in the portal in studio.
94
+
When working with REST APIs, we recommend to using either a service principal or a managed identity to interact with the API.
87
95
88
96
---
89
97
90
98
### Running jobs using a service principal
91
99
100
+
In this case, we want to execute a batch endpoint using a service principal already created in Azure Active Directory. To complete the authentication, you will have to create a secret to perform the authentication. Follow these steps:
101
+
92
102
# [Azure ML CLI](#tab/cli)
93
103
94
-
For more details see [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli).
104
+
1. Create a secret to use for authentication as explained at [Option 2: Create a new application secret](../../active-directory/develop/howto-create-service-principal-portal.md#option-2-create-a-new-application-secret).
105
+
1. For more details see [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli).
95
106
96
-
```bash
97
-
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
98
-
```
107
+
```bash
108
+
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
109
+
```
99
110
100
-
Once authenticated, use the following command to run a batch deployment job:
111
+
1. Once authenticated, use the following command to run a batch deployment job:
101
112
102
-
```azurecli
103
-
az ml batch-endpoint invoke --name $ENDPOINT_NAME --input https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data
104
-
```
113
+
```azurecli
114
+
az ml batch-endpoint invoke --name $ENDPOINT_NAME --input https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data
115
+
```
105
116
106
117
# [Azure ML SDK for Python](#tab/sdk)
107
118
108
-
To authenticate using a service principal, indicate the tenant ID, client ID and client secret of the service principal using environment variables as demonstrated here:
You can't run jobs using a service principal from studio.
119
+
1. Create a secret to use for authentication as explained at [Option 2: Create a new application secret](../../active-directory/develop/howto-create-service-principal-portal.md#option-2-create-a-new-application-secret).
120
+
1. To authenticate using a service principal, indicate the tenant ID, client ID and client secret of the service principal using environment variables as demonstrated:
You can use the REST API of Azure Machine Learning to start a batch endpoints job using the user's credential. Follow these steps:
149
+
150
+
1. Use the login service from Azure to get an authorization token. Authorization tokens are issued to a particular scope. The resource type for Azure Machine learning is `https://ml.azure.com`. The request would look as follows:
> Notice that the resource scope for invoking a batch endpoints (`https://ml.azure.com1) is different from the resource scope used to manage them. All management APIs in Azure use the resource scope `https://management.azure.com`, including Azure Machine Learning.
162
+
163
+
3. Once authenticated, use the query to run a batch deployment job:
You can use the REST API of Azure Machine Learning to start a batch endpoints job using a managed identity. The steps vary depending on the underlying service being used. Some examples include (but are not limited to):
230
+
231
+
*[Managed identity for Azure Data Factory](../../data-factory/data-factory-service-identity.md)
232
+
*[How to use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md).
233
+
*[How to use managed identities for Azure resources on an Azure VM to acquire an access token](../../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md).
178
234
179
-
You can't run jobs using a managed identity from studio.
235
+
You can also use the Azure CLI to get an authentication token for the managed identity and the pass it to the batch endpoints URI.
180
236
181
237
---
182
238
183
239
## Next steps
184
240
185
241
*[Network isolation in batch endpoints](how-to-secure-batch-endpoint.md)
242
+
*[Invoking batch endpoints from Event Grid events in storage](how-to-use-event-grid-batch.md).
243
+
*[Invoking batch endpoints from Azure Data Factory](how-to-use-batch-azure-data-factory.md).
0 commit comments