| title | titleSuffix | description | services | ms.service | ms.subservice | ms.author | ms.reviewer | author | ms.date | ms.topic | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|
Authenticate to an online endpoint |
Azure Machine Learning |
Learn to authenticate clients to an Azure Machine Learning online endpoint |
machine-learning |
machine-learning |
mlops |
seramasu |
larryfr |
rsethur |
05/10/2022 |
how-to |
how-to, devplatv2, cliv2, event-tier1-build-2022 |
When consuming an online endpoint from a client, you can use either a key or a token. Keys don't expire, tokens do.
You can set the authentication type when you create an online endpoint. Set the auth_mode to key or aml_token depending on which one you want to use. The default value is key.
When deploying using CLI v2, set this value in the online endpoint YAML file. For more information, see How to deploy an online endpoint.
When deploying using the Python SDK v2 (preview), use the OnlineEndpoint class.
Access to retrieve the key or token for an online endpoint is restricted by Azure role-based access controls (Azure RBAC). To retrieve the authentication key or token, your security principal (user identity or service principal) must be assigned one of the following roles:
- Owner
- Contributor
- A custom role that allows
Microsoft.MachineLearningServices/workspaces/onlineEndpoints/token/actionandMicrosoft.MachineLearningServices/workspaces/onlineEndpoints/listkeys/action.
For more information on using Azure RBAC with Azure Machine Learning, see Manage access to Azure Machine Learning.
To get the key, use az ml online-endpoint get-credentials. This command returns a JSON document that contains the key or token. Keys will be returned in the primaryKey and secondaryKey fields. Tokens will be returned in the accessToken field. Additionally, the expiryTimeUtc and refreshAfterTimeUtc fields contain the token expiration and refresh times. The following example shows how to use the --query parameter to return only the primary key:
:::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint.sh" ID="test_endpoint_using_curl_get_key":::
When calling the online endpoint for scoring, pass the key or token in the authorization header. The following example shows how to use the curl utility to call the online endpoint using a key (if using a token, replace $ENDPOINT_KEY with the token value):
::: code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint.sh" ID="test_endpoint_using_curl" :::