You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/prompt-flow/troubleshoot-guidance.md
+26-11Lines changed: 26 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -74,7 +74,7 @@ There are possible reasons for this issue:
74
74
75
75
:::image type="content" source="./media/faq/storage-account-networking-firewall.png" alt-text="Screenshot that shows firewall setting on storage account." lightbox = "./media/faq/storage-account-networking-firewall.png":::
76
76
77
-
- There are some cases, the account key in data store is out of sync with the storage account, you can try to update the account key in data store detail page to fix this.
77
+
- There are some cases, the account key in datastore is out of sync with the storage account, you can try to update the account key in datastore detail page to fix this.
78
78
79
79
:::image type="content" source="./media/faq/datastore-with-wrong-account-key.png" alt-text="Screenshot that shows datastore with wrong account key." lightbox = "./media/faq/datastore-with-wrong-account-key.png":::
80
80
@@ -83,7 +83,7 @@ There are possible reasons for this issue:
- Allowed methods: `DELETE, GET, HEAD, POST, OPTIONS, PUT`
85
85
86
-
:::image type="content" source="./media/faq/resource-sharing-setting-storage-account.png" alt-text="Screenshot that shows data store with wrong account key." lightbox = "./media/faq/resource-sharing-setting-storage-account.png":::
86
+
:::image type="content" source="./media/faq/resource-sharing-setting-storage-account.png" alt-text="Screenshot that shows Resource sharing config of storage account." lightbox = "./media/faq/resource-sharing-setting-storage-account.png":::
87
87
88
88
## Compute session related issues
89
89
@@ -102,7 +102,7 @@ You can view the serverless instance used by compute session in the compute sess
102
102
103
103
Compute session support to use `requirements.txt` or custom base image in `flow.dag.yaml` to customize the image. We would recommend you to use `requirements.txt` for common case, which will use `pip install -r requirements.txt` to install the packages. If you have dependency more than python packages, you need to follow the [Customize base image](./how-to-customize-session-base-image.md) to create build a new image base on top of prompt flow base image. Then use it in `flow.dag.yaml`. Learn more [how to specify base image in compute session.](./how-to-manage-compute-session.md#change-the-base-image-for-compute-session)
104
104
105
-
- You cannot use arbitrary base image to create Compute session, you need to use the base image provide by prompt flow.
105
+
- You can't use arbitrary base image to create Compute session, you need to use the base image provide by prompt flow.
106
106
- Don't pin the version of `promptflow` and `promptflow-tools` in `requirements.txt`, because we already include them in the base image. Using old version of `promptflow` and `promptflow-tools` may cause unexpected behavior.
107
107
108
108
## Flow run related issues
@@ -269,15 +269,30 @@ If you encounter an error like "Access denied to list workspace secret", check w
269
269
270
270
## Authentication and identity related issues
271
271
272
-
### How do I use credential-less data store in prompt flow?
272
+
### How do I use credential-less datastore in prompt flow?
273
273
274
-
You can follow [Identity-based data authentication](../how-to-administrate-data-authentication.md#identity-based-data-authentication) this part to make your data store credential-less.
274
+
#### Change auth type of datastore to None
275
275
276
-
To use credential-less data store in prompt flow, you need to grand enough permissions to user identity or managed identity to access the data store.
276
+
You can follow [Identity-based data authentication](../how-to-administrate-data-authentication.md#identity-based-data-authentication) this part to make your datastore credential-less.
277
+
278
+
You need to change auth type of datastore to None, which stands for meid_token based auth. For blob/adls gen1/adls gen2 based datastore (at least for `workspaceblobstore` and `workspaceartifactstore`), you can make change from datastore detail page, or CLI/SDK: https://github.com/Azure/azureml-examples/tree/main/cli/resources/datastore
279
+
280
+
:::image type="content" source="./media/faq/datastore-auth-type.png" alt-text="Screenshot of auth type for datastore. " lightbox = "./media/faq/datastore-auth-type.png":::
281
+
282
+
For fileshare based datastore (at least for `workspaceworkingdirectory`), you can only change auth type for REST API: [datastores-create-or-update](/rest/api/azureml/datastores/create-or-update?tabs=HTTP#code-try-0). You can first use [datastores-get](/rest/api/azureml/datastores/get?tabs=HTTP#code-try-0) to get the body properties of datastore, then change `"credentialsType": "None"`, `subscriptionId`, `accountName` and `"serviceDataAccessAuthIdentity": "WorkspaceSystemAssignedIdentity"`, also need to specify
283
+
284
+
:::image type="content" source="./media/faq/datastore-update-rest.png" alt-text="Screenshot of rest for datastore update. " lightbox = "./media/faq/datastore-update-rest.png":::
285
+
286
+
#### Grant permission to user identity or managed identity
287
+
288
+
To use credential-less datastore in prompt flow, you need to grant enough permissions to user identity or managed identity to access the datastore.
289
+
290
+
- Make sure workspace system assigned managed identity have `Storage Blob Data Contributor` and `Storage File Data Privileged Contributor` on the storage account, at least need read/write (better also include delete) permission.
277
291
- If you're using user identity this default option in prompt flow, you need to make sure the user identity has following role on the storage account:
278
-
- `Storage Blob Data Contributor`on the storage account, at least need read/write (better have delete) permission.
279
-
- `Storage File Data Privileged Contributor`on the storage account, at least need read/write (better have delete) permission
292
+
- `Storage Blob Data Contributor`on the storage account, at least need read/write (better also include delete) permission.
293
+
- `Storage File Data Privileged Contributor`on the storage account, at least need read/write (better also include delete) permission
280
294
- If you're using user assigned managed identity, you need to make sure the managed identity has following role on the storage account:
281
-
- `Storage Blob Data Contributor`on the storage account, at least need read/write (better have delete) permission.
282
-
- `Storage File Data Privileged Contributor`on the storage account, at least need read/write (better have delete) permission
283
-
- Meanwhile, you need to assign user identity `Storage Blob Data Read` role to storage account, if your want use prompt flow to authoring and test flow.
295
+
- `Storage Blob Data Contributor`on the storage account, at least need read/write (better also include delete) permission.
296
+
- `Storage File Data Privileged Contributor`on the storage account, at least need read/write (better also include delete) permission
297
+
- Meanwhile, you need to assign user identity `Storage Blob Data Read` role to storage account at least, if your want use prompt flow to authoring and test flow.
298
+
- If you still can't view the flow detail page and the first time you using prompt flow is created earlier than 2024-01-01, you need to grant workspace MSI as `Storage File Data Privileged Contributor` to storage account linked with workspace.
0 commit comments