Merge pull request #85354 from Blackmist/fixes02

PRMerger15 · web-flow · commit 9e8d8f49da2e · 2019-08-14T10:36:43.000-07:00
beefing up authentication section
diff --git a/articles/machine-learning/service/how-to-deploy-azure-kubernetes-service.md b/articles/machine-learning/service/how-to-deploy-azure-kubernetes-service.md
@@ -207,13 +207,57 @@ az ml model deploy -ct myaks -m mymodel:1 -n myservice -ic inferenceconfig.json
 
 For more information, see the [az ml model deploy](https://docs.microsoft.com/cli/azure/ext/azure-cli-ml/ml/model?view=azure-cli-latest#ext-azure-cli-ml-az-ml-model-deploy) reference. 
 
-## Using VS Code
+### Using VS Code
 
 For information on using VS Code, see [deploy to AKS via the VS Code extension](how-to-vscode-tools.md#deploy-and-manage-models).
 
 > [!IMPORTANT] 
 > Deploying through VS Code requires the AKS cluster to be created or attached to your workspace in advance.
 
+## Web service authentication
+
+When deploying to Azure Kubernetes Service, __key-based__ authentication is enabled by default. You can also enable __token__ authentication. Token authentication requires clients to use an Azure Active Directory account to request an authentication token, which is used to make requests to the deployed service.
+
+To __disable__ authentication, set the `auth_enabled=False` parameter when creating the deployment configuration. The following example disables authentication using the SDK:
+
+```python
+deployment_config = AksWebservice.deploy_configuration(cpu_cores=1, memory_gb=1, auth_enabled=False)
+```
+
+For information on authenticating from a client application, see the [Consume an Azure Machine Learning model deployed as a web service](how-to-consume-web-service.md).
+
+### Authentication with keys
+
+If key authentication is enabled, you can use the `get_keys` method to retrieve a primary and secondary authentication key:
+
+```python
+primary, secondary = service.get_keys()
+print(primary)
+```
+
+> [!IMPORTANT]
+> If you need to regenerate a key, use [`service.regen_key`](https://docs.microsoft.com/python/api/azureml-core/azureml.core.webservice(class)?view=azure-ml-py)
+
+### Authentication with tokens
+
+To enable token authentication, set the `token_auth_enabled=True` parameter when you are creating or updating a deployment. The following example enables token authentication using the SDK:
+
+```python
+deployment_config = AksWebservice.deploy_configuration(cpu_cores=1, memory_gb=1, token_auth_enabled=True)
+```
+
+If token authentication is enabled, you can use the `get_token` method to retrieve a JWT token and that token's expiration time:
+
+```python
+token, refresh_by = service.get_token()
+print(token)
+```
+
+> [!IMPORTANT]
+> You will need to request a new token after the token's `refresh_by` time.
+>
+> Microsoft strongly recommends that you create your Azure Machine Learning workspace in the same region as your Azure Kubernetes Service cluster. To authenticate with a token, the web service will make a call to the region in which your Azure Machine Learning workspace is created. If your workspace's region is unavailable, then you will not be able to fetch a token for your web service even, if your cluster is in a different region than your workspace. This effectively results in Azure AD Authentication being unavailable until your workspace's region is available again. In addition, the greater the distance between your cluster's region and your workspace's region, the longer it will take to fetch a token.
+
 ## Update the web service
 
 [!INCLUDE [aml-update-web-service](../../../includes/machine-learning-update-web-service.md)]
