Skip to content

Commit 5f349e6

Browse files
authored
Merge pull request #276402 from cloga/lochen/credential-less-new
add rest to update fileshare
2 parents e116f91 + 95d7c54 commit 5f349e6

File tree

3 files changed

+26
-11
lines changed

3 files changed

+26
-11
lines changed
144 KB
Loading
193 KB
Loading

articles/machine-learning/prompt-flow/troubleshoot-guidance.md

Lines changed: 26 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ There are possible reasons for this issue:
7474

7575
:::image type="content" source="./media/faq/storage-account-networking-firewall.png" alt-text="Screenshot that shows firewall setting on storage account." lightbox = "./media/faq/storage-account-networking-firewall.png":::
7676

77-
- There are some cases, the account key in data store is out of sync with the storage account, you can try to update the account key in data store detail page to fix this.
77+
- There are some cases, the account key in datastore is out of sync with the storage account, you can try to update the account key in datastore detail page to fix this.
7878

7979
:::image type="content" source="./media/faq/datastore-with-wrong-account-key.png" alt-text="Screenshot that shows datastore with wrong account key." lightbox = "./media/faq/datastore-with-wrong-account-key.png":::
8080

@@ -83,7 +83,7 @@ There are possible reasons for this issue:
8383
- Allowed origins: `https://mlworkspace.azure.ai,https://ml.azure.com,https://*.ml.azure.com,https://ai.azure.com,https://*.ai.azure.com,https://mlworkspacecanary.azure.ai,https://mlworkspace.azureml-test.net`
8484
- Allowed methods: `DELETE, GET, HEAD, POST, OPTIONS, PUT`
8585

86-
:::image type="content" source="./media/faq/resource-sharing-setting-storage-account.png" alt-text="Screenshot that shows data store with wrong account key." lightbox = "./media/faq/resource-sharing-setting-storage-account.png":::
86+
:::image type="content" source="./media/faq/resource-sharing-setting-storage-account.png" alt-text="Screenshot that shows Resource sharing config of storage account." lightbox = "./media/faq/resource-sharing-setting-storage-account.png":::
8787

8888
## Compute session related issues
8989

@@ -102,7 +102,7 @@ You can view the serverless instance used by compute session in the compute sess
102102

103103
Compute session support to use `requirements.txt` or custom base image in `flow.dag.yaml` to customize the image. We would recommend you to use `requirements.txt` for common case, which will use `pip install -r requirements.txt` to install the packages. If you have dependency more than python packages, you need to follow the [Customize base image](./how-to-customize-session-base-image.md) to create build a new image base on top of prompt flow base image. Then use it in `flow.dag.yaml`. Learn more [how to specify base image in compute session.](./how-to-manage-compute-session.md#change-the-base-image-for-compute-session)
104104

105-
- You cannot use arbitrary base image to create Compute session, you need to use the base image provide by prompt flow.
105+
- You can't use arbitrary base image to create Compute session, you need to use the base image provide by prompt flow.
106106
- Don't pin the version of `promptflow` and `promptflow-tools` in `requirements.txt`, because we already include them in the base image. Using old version of `promptflow` and `promptflow-tools` may cause unexpected behavior.
107107

108108
## Flow run related issues
@@ -269,15 +269,30 @@ If you encounter an error like "Access denied to list workspace secret", check w
269269

270270
## Authentication and identity related issues
271271

272-
### How do I use credential-less data store in prompt flow?
272+
### How do I use credential-less datastore in prompt flow?
273273

274-
You can follow [Identity-based data authentication](../how-to-administrate-data-authentication.md#identity-based-data-authentication) this part to make your data store credential-less.
274+
#### Change auth type of datastore to None
275275

276-
To use credential-less data store in prompt flow, you need to grand enough permissions to user identity or managed identity to access the data store.
276+
You can follow [Identity-based data authentication](../how-to-administrate-data-authentication.md#identity-based-data-authentication) this part to make your datastore credential-less.
277+
278+
You need to change auth type of datastore to None, which stands for meid_token based auth. For blob/adls gen1/adls gen2 based datastore (at least for `workspaceblobstore` and `workspaceartifactstore`), you can make change from datastore detail page, or CLI/SDK: https://github.com/Azure/azureml-examples/tree/main/cli/resources/datastore
279+
280+
:::image type="content" source="./media/faq/datastore-auth-type.png" alt-text="Screenshot of auth type for datastore. " lightbox = "./media/faq/datastore-auth-type.png":::
281+
282+
For fileshare based datastore (at least for `workspaceworkingdirectory`), you can only change auth type for REST API: [datastores-create-or-update](/rest/api/azureml/datastores/create-or-update?tabs=HTTP#code-try-0). You can first use [datastores-get](/rest/api/azureml/datastores/get?tabs=HTTP#code-try-0) to get the body properties of datastore, then change `"credentialsType": "None"`, `subscriptionId`, `accountName` and `"serviceDataAccessAuthIdentity": "WorkspaceSystemAssignedIdentity"`, also need to specify
283+
284+
:::image type="content" source="./media/faq/datastore-update-rest.png" alt-text="Screenshot of rest for datastore update. " lightbox = "./media/faq/datastore-update-rest.png":::
285+
286+
#### Grant permission to user identity or managed identity
287+
288+
To use credential-less datastore in prompt flow, you need to grant enough permissions to user identity or managed identity to access the datastore.
289+
290+
- Make sure workspace system assigned managed identity have `Storage Blob Data Contributor` and `Storage File Data Privileged Contributor` on the storage account, at least need read/write (better also include delete) permission.
277291
- If you're using user identity this default option in prompt flow, you need to make sure the user identity has following role on the storage account:
278-
- `Storage Blob Data Contributor` on the storage account, at least need read/write (better have delete) permission.
279-
- `Storage File Data Privileged Contributor` on the storage account, at least need read/write (better have delete) permission
292+
- `Storage Blob Data Contributor` on the storage account, at least need read/write (better also include delete) permission.
293+
- `Storage File Data Privileged Contributor` on the storage account, at least need read/write (better also include delete) permission
280294
- If you're using user assigned managed identity, you need to make sure the managed identity has following role on the storage account:
281-
- `Storage Blob Data Contributor` on the storage account, at least need read/write (better have delete) permission.
282-
- `Storage File Data Privileged Contributor` on the storage account, at least need read/write (better have delete) permission
283-
- Meanwhile, you need to assign user identity `Storage Blob Data Read` role to storage account, if your want use prompt flow to authoring and test flow.
295+
- `Storage Blob Data Contributor` on the storage account, at least need read/write (better also include delete) permission.
296+
- `Storage File Data Privileged Contributor` on the storage account, at least need read/write (better also include delete) permission
297+
- Meanwhile, you need to assign user identity `Storage Blob Data Read` role to storage account at least, if your want use prompt flow to authoring and test flow.
298+
- If you still can't view the flow detail page and the first time you using prompt flow is created earlier than 2024-01-01, you need to grant workspace MSI as `Storage File Data Privileged Contributor` to storage account linked with workspace.

0 commit comments

Comments
 (0)