| title | titleSuffix | description | services | ms.author | author | ms.reviewer | ms.service | ms.subservice | ms.custom | ms.date | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|
Use Azure AD identity with your web service |
Azure Machine Learning |
Use Azure AD identity with your web service in Azure Kubernetes Service to access cloud resources during scoring. |
machine-learning |
larryfr |
BlackMist |
aashishb |
machine-learning |
enterprise-readiness |
event-tier1-build-2022 |
10/21/2021 |
how-to |
In this how-to, you learn how to assign an Azure Active Directory (Azure AD) identity to your deployed machine learning model in Azure Kubernetes Service. The Azure AD Pod Identity project allows applications to access cloud resources securely with Azure AD by using a Managed Identity and Kubernetes primitives. This allows your web service to securely access your Azure resources without having to embed credentials or manage tokens directly inside your score.py script. This article explains the steps to create and install an Azure Identity in your Azure Kubernetes Service cluster and assign the identity to your deployed web service.
-
The Azure CLI extension for the Machine Learning service, the Azure Machine Learning SDK for Python, or the Azure Machine Learning Visual Studio Code extension.
-
Access to your AKS cluster using the
kubectlcommand. For more information, see Connect to the cluster -
An Azure Machine Learning web service deployed to your AKS cluster.
-
To determine if your AKS cluster is Kubernetes RBAC enabled, use the following command:
az aks show --name <AKS cluster name> --resource-group <resource group name> --subscription <subscription id> --query enableRbacThis command returns a value of
trueif Kubernetes RBAC is enabled. This value determines the command to use in the next step. -
Install Azure AD Pod Identity in your AKS cluster.
-
Create an Identity on Azure following the steps shown in Azure AD Pod Identity project page.
-
Deploy AzureIdentity following the steps shown in Azure AD Pod Identity project page.
-
Deploy AzureIdentityBinding following the steps shown in Azure AD Pod Identity project page.
-
If the Azure Identity created in the previous step is not in the same node resource group for your AKS cluster, follow the Role Assignment steps shown in Azure AD Pod Identity project page.
The following steps use the Azure Identity created in the previous section, and assign it to your AKS web service through a selector label.
First, identify the name and namespace of your deployment in your AKS cluster that you want to assign the Azure Identity. You can get this information by running the following command. The namespaces should be your Azure Machine Learning workspace name and your deployment name should be your endpoint name as shown in the portal.
kubectl get deployment --selector=isazuremlapp=true --all-namespaces --show-labels
Add the Azure Identity selector label to your deployment by editing the deployment spec. The selector value should be the one that you defined in step 5 of Deploy AzureIdentityBinding.
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: demo1-azure-identity-binding
spec:
AzureIdentity: <a-idname>
Selector: <label value to match>Edit the deployment to add the Azure Identity selector label. Go to the following section under /spec/template/metadata/labels. You should see values such as isazuremlapp: “true”. Add the aad-pod-identity label like shown below.
kubectl edit deployment/<name of deployment> -n azureml-<name of workspace>
spec:
template:
metadata:
labels:
aadpodidbinding: "<value of Selector in AzureIdentityBinding>"
...To verify that the label was correctly added, run the following command. You should also see the statuses of the newly created pods.
kubectl get pod -n azureml-<name of workspace> --show-labels
Once the pods are up and running, the web services for this deployment will now be able to access Azure resources through your Azure Identity without having to embed the credentials in your code.
Assign your Azure Managed Identity with appropriate roles to access other Azure resources. Ensure that the roles you are assigning have the correct Data Actions. For example, the Storage Blob Data Reader Role will have read permissions to your Storage Blob while the generic Reader Role might not.
Deploy a model to your AKS cluster. The score.py script can contain operations pointing to the Azure resources that your Azure Identity has access to. Ensure that you have installed your required client library dependencies for the resource that you are trying to access to. Below are a couple examples of how you can use your Azure Identity to access different Azure resources from your service.
If you have given your Azure Identity read access to a secret inside a Key Vault, your score.py can access it using the following code.
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
my_vault_name = "yourkeyvaultname"
my_vault_url = "https://{}.vault.azure.net/".format(my_vault_name)
my_secret_name = "sample-secret"
# This will use your Azure Managed Identity
credential = DefaultAzureCredential()
secret_client = SecretClient(
vault_url=my_vault_url,
credential=credential)
secret = secret_client.get_secret(my_secret_name)Important
This example uses the DefaultAzureCredential. To grant your identity access using a specific access policy, see Assign a Key Vault access policy using the Azure CLI.
If you have given your Azure Identity read access to data inside a Storage Blob, your score.py can access it using the following code.
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient
my_storage_account_name = "yourstorageaccountname"
my_storage_account_url = "https://{}.blob.core.windows.net/".format(my_storage_account_name)
# This will use your Azure Managed Identity
credential = DefaultAzureCredential()
blob_service_client = BlobServiceClient(
account_url=my_storage_account_url,
credential=credential
)
blob_client = blob_service_client.get_blob_client(container="some-container", blob="some_text.txt")
blob_data = blob_client.download_blob()
blob_data.readall()- For more information on how to use the Python Azure Identity client library, see the repository on GitHub.