| title | titleSuffix | description | services | author | ms.author | ms.reviewer | ms.service | ms.subservice | ms.date | ms.topic | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|
Authentication secrets in training |
Azure Machine Learning |
Learn how to pass secrets to training runs in secure fashion using the Azure Key Vault for your workspace. |
machine-learning |
rastala |
roastala |
larryfr |
machine-learning |
enterprise-readiness |
10/21/2021 |
how-to |
sdkv1, event-tier1-build-2022 |
[!INCLUDE sdk v1]
In this article, you learn how to use secrets in training runs securely. Authentication information such as your user name and password are secrets. For example, if you connect to an external database in order to query training data, you would need to pass your username and password to the remote run context. Coding such values into training scripts in cleartext is insecure as it would expose the secret.
Instead, your Azure Machine Learning workspace has an associated resource called a Azure Key Vault. Use this Key Vault to pass secrets to remote runs securely through a set of APIs in the Azure Machine Learning Python SDK.
The standard flow for using secrets is:
- On local computer, log in to Azure and connect to your workspace.
- On local computer, set a secret in Workspace Key Vault.
- Submit a remote run.
- Within the remote run, get the secret from Key Vault and use it.
In the Azure Machine Learning, the Keyvault class contains methods for setting secrets. In your local Python session, first obtain a reference to your workspace Key Vault, and then use the set_secret() method to set a secret by name and value. The set_secret method updates the secret value if the name already exists.
from azureml.core import Workspace
from azureml.core import Keyvault
import os
ws = Workspace.from_config()
my_secret = os.environ.get("MY_SECRET")
keyvault = ws.get_default_keyvault()
keyvault.set_secret(name="mysecret", value = my_secret)Do not put the secret value in your Python code as it is insecure to store it in file as cleartext. Instead, obtain the secret value from an environment variable, for example Azure DevOps build secret, or from interactive user input.
You can list secret names using the list_secrets() method and there is also a batch version,set_secrets() that allows you to set multiple secrets at a time.
Important
Using list_secrets() will only list secrets created through set_secret() or set_secrets() using the Azure ML SDK. It will not list secrets created by something other than the SDK. For example, a secret created using the Azure portal or Azure PowerShell will not be listed.
You can use get_secret() to get a secret value from the key vault, regardless of how it was created. So you can retrieve secrets that are not listed by list_secrets().
In your local code, you can use the get_secret() method to get the secret value by name.
For runs submitted the Experiment.submit , use the get_secret() method with the Run class. Because a submitted run is aware of its workspace, this method shortcuts the Workspace instantiation and returns the secret value directly.
# Code in submitted run
from azureml.core import Experiment, Run
run = Run.get_context()
secret_value = run.get_secret(name="mysecret")Be careful not to expose the secret value by writing or printing it out.
There is also a batch version, get_secrets() for accessing multiple secrets at once.