You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/search/search-howto-managed-identities-data-sources.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ ms.author: heidist
9
9
ms.service: cognitive-search
10
10
ms.custom: ignite-2022
11
11
ms.topic: how-to
12
-
ms.date: 11/15/2022
12
+
ms.date: 12/08/2022
13
13
---
14
14
15
15
# Connect a search service to other Azure resources using a managed identity
@@ -189,14 +189,14 @@ The following steps are for Azure Storage. If your resource is Azure Cosmos DB o
189
189
190
190
1. Select **Add role assignment**.
191
191
192
-
1. On the **Role** page, choose a role:
192
+
1. On the **Role** page, select the roles needed for your search service:
193
193
194
194
| Role | Usage |
195
195
|------|-------|
196
196
| **Reader and Data Access** | Grants read permissions for indexer access to content in Azure Table Storage and Azure File Storage. |
197
197
| **Storage Blob Data Reader** | Grants read permissions for indexer access to content in Blob Storage and Azure Data Lake Storage Gen2. |
198
-
| **Storage Blob Data Contributor** | Grants write permissions necessary for debug sessions, knowledge store object projections, and enrichment cache. |
199
-
| **Storage Table Data Contributor** | Grants write permissions necessary for knowledge store table projections. |
198
+
| **Storage Blob Data Contributor** | Grants read permissions for indexer access, plus write permissions for debug sessions, knowledge store object projections, and enrichment cache. |
199
+
| **Storage Table Data Contributor** | Grants read permissions for indexer access, plus write permissions for knowledge store table projections. |
200
200
201
201
1. On the **Members** page, select **Managed Identity**.
Copy file name to clipboardExpand all lines: articles/search/search-indexer-howto-access-trusted-service-exception.md
+17-10Lines changed: 17 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,24 +8,23 @@ author: arv100kri
8
8
ms.author: arjagann
9
9
ms.service: cognitive-search
10
10
ms.topic: how-to
11
-
ms.date: 03/30/2022
11
+
ms.date: 12/08/2022
12
12
---
13
13
14
14
# Make indexer connections to Azure Storage as a trusted service
15
15
16
16
In Azure Cognitive Search, indexers that access Azure blobs can use the [trusted service exception](../storage/common/storage-network-security.md#exceptions) to securely access data. This mechanism offers customers who are unable to grant [indexer access using IP firewall rules](search-indexer-howto-access-ip-restricted.md) a simple, secure, and free alternative for accessing data in storage accounts.
17
17
18
-
## Prerequisites
19
-
20
-
+ A search service with a [**system-assigned managed identity**](search-howto-managed-identities-data-sources.md).
18
+
> [!NOTE]
19
+
> If Azure Storage is behind a firewall and in the same region as Azure Cognitive Search, you won't be able to create an inbound rule that admits requests from your search service. The solution for this scenario is for search to connect as a trusted service, as described in this article.
21
20
22
-
+ A storage account with the **Allow trusted Microsoft services to access this storage account** network option.
21
+
## Prerequisites
23
22
24
-
+Content in Azure Blob Storage or Azure Data Lake Storage Gen2 (ADLS Gen2) that you want to index or enrich.
23
+
+A search service with a system-assigned managed identity ([see below](#check-service-identity)).
25
24
26
-
+Optionally, containers or tables in Azure Storage for AI enrichment write-back operations, such as creating a knowledge store, debug session, or enrichment cache.
25
+
+A storage account with the **Allow trusted Microsoft services to access this storage account** network option ([see below](#check-network-settings)).
27
26
28
-
+ An Azure role assignment. A system managed identity is an Azure AD login. It needs either a **Storage Blob Data Reader** or **Storage Blob Data Contributor** role assignment, depending on whether write access is needed.
27
+
+ An Azure role assignment in Azure Storage that grants permissions to the search service system-assigned managed identity ([see below](#check-permissions)).
29
28
30
29
> [!NOTE]
31
30
> In Cognitive Search, a trusted service connection is limited to blobs and ADLS Gen2 on Azure Storage. It's unsupported for indexer connections to Azure Table Storage and Azure File Storage.
@@ -36,11 +35,11 @@ In Azure Cognitive Search, indexers that access Azure blobs can use the [trusted
36
35
37
36
1.[Sign in to Azure portal](https://portal.azure.com) and [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2storageAccounts/).
38
37
39
-
1. On the **Identity** page, make sure that a system assigned identity is enabled. Remember that user-assigned managed identities, currently in preview, won't work for a trusted service connection.
38
+
1. On the **Identity** page, make sure that a [system assigned identity is enabled](search-howto-managed-identities-data-sources.md). Remember that user-assigned managed identities, currently in preview, won't work for a trusted service connection.
40
39
41
40
:::image type="content" source="media/search-managed-identities/system-assigned-identity-object-id.png" alt-text="Screenshot of a system identity object identifier." border="true":::
42
41
43
-
## Check network settings and permissions
42
+
## Check network settings
44
43
45
44
1.[Sign in to Azure portal](https://portal.azure.com) and [find your storage account](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2storageAccounts/).
46
45
@@ -56,8 +55,16 @@ In Azure Cognitive Search, indexers that access Azure blobs can use the [trusted
56
55
57
56
This option will only permit the specific search service instance with appropriate role-based access to the storage account (strong authentication) to access data in the storage account, even if it's secured by IP firewall rules.
58
57
58
+
## Check permissions
59
+
60
+
A system managed identity is an Azure AD login. The assignment needs **Storage Blob Data Reader** at a minimum.
61
+
59
62
1. In the left navigation pane under **Access Control**, view all role assignments and make sure that **Storage Blob Data Reader** is assigned to the search service system identity.
60
63
64
+
1. Add **Storage Blob Data Contributor** if write access is required.
65
+
66
+
Features that require write access include [enrichment caching](cognitive-search-incremental-indexing-conceptual.md), [debug sessions](cognitive-search-debug-session.md), and [knowledge store](knowledge-store-concept-intro.md).
67
+
61
68
## Set up and test the connection
62
69
63
70
The easiest way to test the connection is by running the Import data wizard.
0 commit comments