You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/how-to-identity-based-service-authentication.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,7 +42,7 @@ Azure Machine Learning is composed of multiple Azure services. There are multipl
42
42
You can add a user-assigned managed identity when creating an Azure Machine Learning workspace from the [Azure portal](https://portal.azure.com). Use the following steps while creating the workspace:
43
43
44
44
1. From the __Basics__ page, select the Azure Storage Account, Azure Container Registry, and Azure Key Vault you want to use with the workspace.
45
-
1. From the __Advanced__ page, select __User-assigned identity__ and then select the managed identity to use.
45
+
1. From the __Identity__ page, select __User-assigned identity__ and then select the managed identity to use.
46
46
47
47
The following [Azure RBAC role assignments](../role-based-access-control/role-assignments.md) are required on your user-assigned managed identity for your Azure Machine Learning workspace to access data on the workspace-associated resources.
In this article, you create, view, and delete [**Azure Machine Learning workspaces**](concept-workspace.md) for [Azure Machine Learning](overview-what-is-azure-machine-learning.md), using the [Azure portal](https://portal.azure.com) or the [SDK for Python](https://aka.ms/sdk-v2-install).
22
21
23
22
As your needs change or requirements for automation increase you can also manage workspaces [using the CLI](how-to-manage-workspace-cli.md), [Azure PowerShell](how-to-manage-workspace-powershell.md), or [via the VS Code extension](how-to-setup-vs-code.md).
@@ -30,6 +29,8 @@ As your needs change or requirements for automation increase you can also manage
30
29
1. Install azure-identity: `pip install azure-identity`. If in a notebook cell, use `%pip install azure-identity`.
***Default specification.** By default, dependent resources and the resource group are created automatically. This code creates a workspace named `myworkspace`and a resource group named `myresourcegroup`in`eastus2`.
***Use existing Azure resources**. You can also create a workspace that uses existing Azure resources with the Azure resource IDformat. Find the specific Azure resource IDs in the Azure portal orwith the SDK. This example assumes that the resource group, storage account, key vault, App Insights, and container registry already exist.
@@ -101,7 +102,7 @@ If you have problems in accessing your subscription, see [Set up authentication
101
102
---|---
102
103
Workspace name |Enter a unique name that identifies your workspace. In this example, we use **docs-ws**. Names must be unique across the resource group. Use a name that's easy to recall and to differentiate from workspaces created by others. The workspace name is case-insensitive.
103
104
Subscription |Select the Azure subscription that you want to use.
104
-
Resource group | Use an existing resource group in your subscription or enter a name to create a new resource group. A resource group holds related resources for an Azure solution. In this example, we use **docs-aml**. You need *contributor*or*owner* role to use an existing resource group. For more information about access, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md).
105
+
Resource group | Use an existing resource group in your subscription or enter a name to create a new resource group. A resource group holds related resources for an Azure solution. You need *contributor*or*owner* role to use an existing resource group. For more information about access, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md).
105
106
Region | Select the Azure region closest to your users and the data resources to create your workspace.
106
107
| Storage account | The default storage account for the workspace. By default, a new one is created. |
107
108
| Key Vault | The Azure Key Vault used by the workspace. By default, a new one is created. |
@@ -110,22 +111,24 @@ If you have problems in accessing your subscription, see [Set up authentication
110
111
111
112
:::image type="content" source="media/how-to-manage-workspace/create-workspace-form.png" alt-text="Configure your workspace.":::
112
113
113
-
1. When you're finished configuring the workspace, select **Review + Create**. Optionally, use the [Networking](#networking), [Advanced](#advanced), and [Tags](#tags) sections to configure more settings for the workspace.
114
+
1. When you're finished configuring the workspace, select **Review + Create**. Optionally, use the [Networking](#networking), [Encryption](#encryption), [Identity](#identity), and [Tags](#tags) sections to configure more settings for the workspace.
114
115
115
116
1. Review the settings and make any other changes or corrections. When you're satisfied with the settings, select **Create**.
116
117
117
-
> [!Warning]
118
+
> [!Warning]
118
119
> It can take several minutes to create your workspace in the cloud.
119
120
120
-
When the process is finished, a deployment success message appears.
121
-
122
-
1. To view the new workspace, select **Go to resource**.
123
-
121
+
When the process is finished, a deployment success message appears.
122
+
123
+
1. To view the new workspace, select **Go to resource**.
124
+
125
+
1. To start using the workspace, select the **Studio web URL** link on the top right. You can also select the workspace from the [Azure Machine Learning studio](https://ml.azure.com) home page.
126
+
124
127
---
125
128
126
-
### Networking
129
+
### Networking
127
130
128
-
> [!IMPORTANT]
131
+
> [!IMPORTANT]
129
132
> For more information on using a private endpoint and virtual network with your workspace, see [Network isolation and privacy](how-to-network-security-overview.md).
130
133
131
134
@@ -139,34 +142,36 @@ This class requires an existing virtual network.
139
142
140
143
# [Portal](#tab/azure-portal)
141
144
142
-
1. The default network configuration is to use a __Public endpoint__, which is accessible on the public internet. To limit access to your workspace to an Azure Virtual Network you've created, you can instead select __Private endpoint__ as the __Connectivity method__, and then use __+ Add__ to configure the endpoint.
145
+
1. The default network configuration is to use a **Public endpoint**, which is accessible on the public internet. To limit access to your workspace to an Azure Virtual Network you've created, under **Networking** you can instead select **Private with Internet Outbound** or **Private with Approved Outbound**. Then scroll down to configure the settings.
1. On the __Create private endpoint__ form, set the location, name, and virtual network to use. If you'd like to use the endpoint with a Private DNS Zone, select __Integrate with private DNS zone__ and select the zone using the __Private DNS Zone__ field. Select __OK__ to create the endpoint.
149
+
1. Under **Workspace Inbound access** select **Add** to open the **Create private endpoint** form.
150
+
1. On the **Create private endpoint** form, set the location, name, and virtual network to use. If you'd like to use the endpoint with a Private DNS Zone, select **Integrate with private DNS zone** and select the zone using the **Private DNS Zone** field. Select **OK** to create the endpoint.
1. When you're finished configuring networking, you can select __Review + Create__, or advance to the optional __Advanced__ configuration.
154
+
1. If you selected **Private with Internet Outbound**, use the **Workspace Outbound access** section to configure the network and outbound rules.
155
+
156
+
1. If you selected **Private with Approved Outbound**, use the **Workspace Outbound access** section to add additional rules to the required set.
157
+
158
+
1. When you're finished configuring networking, you can select **Review + Create**, or advance to the optional **Encryption** configuration.
151
159
152
160
---
153
161
154
-
### Advanced
162
+
### Encryption
155
163
156
164
By default, metadata for the workspace is stored in an Azure Cosmos DB instance that Microsoft maintains. This data is encrypted using Microsoft-managed keys.
157
165
158
-
To limit the data that Microsoft collects on your workspace, select __High business impact workspace__ in the portal, orset`hbi_workspace=true `in Python. For more information on this setting, see [Encryption at rest](concept-data-encryption.md#encryption-at-rest).
159
166
160
-
> [!IMPORTANT]
161
-
> Selecting high business impact can only be done when creating a workspace. You cannot change this setting after workspace creation.
162
167
163
168
#### Use your own data encryption key
164
169
165
170
You can provide your own key for data encryption. Doing so creates the Azure Cosmos DB instance that stores metadata in your Azure subscription. For more information, see [Customer-managed keys](concept-customer-managed-keys.md).
166
171
167
172
Use the following steps to provide your own key:
168
173
169
-
> [!IMPORTANT]
174
+
> [!IMPORTANT]
170
175
> Before following these steps, you must first perform the following actions:
171
176
>
172
177
> Follow the steps in [Configure customer-managed keys](how-to-setup-customer-managed-keys.md) to:
1. On the __Select key from Azure Key Vault__ form, select an existing Azure Key Vault, a key that it contains, and the version of the key. This key is used to encrypt the data stored in Azure Cosmos DB. Finally, use the __Select__ button to use this key.
213
+
1. On the **Select key from Azure Key Vault** form, select an existing Azure Key Vault, a key that it contains, and the version of the key. This key is used to encrypt the data stored in Azure Cosmos DB. Finally, use the **Select** button to use this key.
209
214
210
215
:::image type="content" source="media/how-to-manage-workspace/select-key-vault.png" alt-text="Select the key":::
211
216
212
217
---
213
218
219
+
### Identity
220
+
221
+
In the portal, use the **Identity** page to configure managed identity, storage account access, and data impact. For the Python SDK, see the links in the following sections.
222
+
223
+
#### Managed identity
224
+
225
+
A workspace can be given either a system assigned identity or a user assigned identity. This identity is used to access resources in your subscription. For more information, see [Set up authentication between Azure Machine Learning and other services](how-to-identity-based-service-authentication.md).
226
+
227
+
#### Storage account access
228
+
229
+
Choose between **Credential-based access**or**Identity-based access** when connecting to the default storage account. When using identity-based authentication, the Storage Blob Data Contributor role must be granted to the workspace managed identity on the storage account.
230
+
231
+
#### Data impact
232
+
233
+
To limit the data that Microsoft collects on your workspace, select **High business impact workspace**in the portal, orset`hbi_workspace=true `in Python. For more information on this setting, see [Encryption at rest](concept-data-encryption.md#encryption-at-rest).
234
+
235
+
> [!IMPORTANT]
236
+
> Selecting high business impact can only be done when creating a workspace. You cannot change this setting after workspace creation.
237
+
214
238
### Tags
215
239
216
240
While using a workspace, you have opportunities to provide feedback about Azure Machine Learning. You provide feedback by using:
@@ -239,6 +263,7 @@ You can turn off all feedback opportunities for a workspace. When off, users of
239
263
If you'll be running your code on a [compute instance](quickstart-create-resources.md), skip this step. The compute instance creates and stores copy of this file for you.
240
264
241
265
If you plan to use code on your local environment that references this workspace, download the file:
266
+
242
267
1. Select your workspace in [Azure studio](https://ml.azure.com)
243
268
1. At the top right, select the workspace name, then select **Download config.json**
0 commit comments