Skip to content

Commit 5c63098

Browse files
HeidiSteenHeidiSteen
committed
revisions
1 parent 3a3822c commit 5c63098

File tree

2 files changed

+17
-10
lines changed

2 files changed

+17
-10
lines changed

articles/search/search-howto-managed-identities-data-sources.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -189,7 +189,7 @@ The following steps are for Azure Storage. If your resource is Azure Cosmos DB o
189189
190190
1. Select **Add role assignment**.
191191
192-
1. On the **Role** page, select the roles needed for your search service. Recall that roles are cumulative. Choose only what you need, but you can select all of them for full access to integrated features:
192+
1. On the **Role** page, select the roles needed for your search service. Recall that roles are cumulative. You should choose only what you need, but you can select all of them for full access to integrated features:
193193
194194
| Role | Usage |
195195
|------|-------|

articles/search/search-indexer-howto-access-trusted-service-exception.md

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -15,17 +15,16 @@ ms.date: 12/08/2022
1515

1616
In Azure Cognitive Search, indexers that access Azure blobs can use the [trusted service exception](../storage/common/storage-network-security.md#exceptions) to securely access data. This mechanism offers customers who are unable to grant [indexer access using IP firewall rules](search-indexer-howto-access-ip-restricted.md) a simple, secure, and free alternative for accessing data in storage accounts.
1717

18-
## Prerequisites
19-
20-
+ A search service with a [**system-assigned managed identity**](search-howto-managed-identities-data-sources.md).
18+
> [!NOTE]
19+
> If Azure Storage is behind a firewall and in the same region as Azure Cognitive Search, you won't be able to create an inbound rule that admits requests from your search service. The solution for this scenario is for search to connect as a trusted service, as described in this article.
2120
22-
+ A storage account with the **Allow trusted Microsoft services to access this storage account** network option.
21+
## Prerequisites
2322

24-
+ Content in Azure Blob Storage or Azure Data Lake Storage Gen2 (ADLS Gen2) that you want to index or enrich.
23+
+ A search service with a system-assigned managed identity ([see below](#check-service-identity)).
2524

26-
+ An Azure role assignment in Azure Storage that grants permissions to the search service system-assigned managed identity. A system managed identity is an Azure AD login. The assignment needs **Storage Blob Data Reader** at a minimum.
25+
+ A storage account with the **Allow trusted Microsoft services to access this storage account** network option ([see below](#check-network-settings)).
2726

28-
The role assignment also needs **Storage Blob Data Contributor** if write access is required. Features that require write access include [enrichment caching](cognitive-search-incremental-indexing-conceptual.md), [debug sessions](cognitive-search-debug-session.md), and [knowledge store](knowledge-store-concept-intro.md).
27+
+ An Azure role assignment in Azure Storage that grants permissions to the search service system-assigned managed identity ([see below](#check-permissions)).
2928

3029
> [!NOTE]
3130
> In Cognitive Search, a trusted service connection is limited to blobs and ADLS Gen2 on Azure Storage. It's unsupported for indexer connections to Azure Table Storage and Azure File Storage.
@@ -36,11 +35,11 @@ In Azure Cognitive Search, indexers that access Azure blobs can use the [trusted
3635

3736
1. [Sign in to Azure portal](https://portal.azure.com) and [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2storageAccounts/).
3837

39-
1. On the **Identity** page, make sure that a system assigned identity is enabled. Remember that user-assigned managed identities, currently in preview, won't work for a trusted service connection.
38+
1. On the **Identity** page, make sure that a [system assigned identity is enabled](search-howto-managed-identities-data-sources.md). Remember that user-assigned managed identities, currently in preview, won't work for a trusted service connection.
4039

4140
:::image type="content" source="media/search-managed-identities/system-assigned-identity-object-id.png" alt-text="Screenshot of a system identity object identifier." border="true":::
4241

43-
## Check network settings and permissions
42+
## Check network settings
4443

4544
1. [Sign in to Azure portal](https://portal.azure.com) and [find your storage account](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2storageAccounts/).
4645

@@ -56,8 +55,16 @@ In Azure Cognitive Search, indexers that access Azure blobs can use the [trusted
5655

5756
This option will only permit the specific search service instance with appropriate role-based access to the storage account (strong authentication) to access data in the storage account, even if it's secured by IP firewall rules.
5857

58+
## Check permissions
59+
60+
A system managed identity is an Azure AD login. The assignment needs **Storage Blob Data Reader** at a minimum.
61+
5962
1. In the left navigation pane under **Access Control**, view all role assignments and make sure that **Storage Blob Data Reader** is assigned to the search service system identity.
6063

64+
1. Add **Storage Blob Data Contributor** if write access is required.
65+
66+
Features that require write access include [enrichment caching](cognitive-search-incremental-indexing-conceptual.md), [debug sessions](cognitive-search-debug-session.md), and [knowledge store](knowledge-store-concept-intro.md).
67+
6168
## Set up and test the connection
6269

6370
The easiest way to test the connection is by running the Import data wizard.

0 commit comments

Comments
 (0)