Skip to content

Commit 04db5d9

Browse files
rastalarastala
committed
version 1.0.18
1 parent 4e10935 commit 04db5d9

File tree

5 files changed

+253
-0
lines changed

5 files changed

+253
-0
lines changed

how-to-use-azureml/manage-azureml-service/authentication-in-azureml/authentication-in-azure-ml.ipynb

Lines changed: 253 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,253 @@
1+
{
2+
"cells": [
3+
{
4+
"cell_type": "markdown",
5+
"metadata": {},
6+
"source": [
7+
"Copyright (c) Microsoft Corporation. All rights reserved.\n",
8+
"\n",
9+
"Licensed under the MIT License.\n",
10+
"\n",
11+
"## Authentication in Azure Machine Learning\n",
12+
"\n",
13+
"This notebook shows you how to authenticate to your Azure ML Workspace using\n",
14+
"\n",
15+
" 1. Interactive Login Authentication\n",
16+
" 2. Azure CLI Authentication\n",
17+
" 3. Service Principal Authentication\n",
18+
" \n",
19+
"The interactive authentication is suitable for local experimentation on your own computer. Azure CLI authentication is suitable if you are already using Azure CLI for managing Azure resources, and want to sign in only once. The Service Principal authentication is suitable for automated workflows, for example as part of Azure Devops build."
20+
]
21+
},
22+
{
23+
"cell_type": "code",
24+
"execution_count": null,
25+
"metadata": {},
26+
"outputs": [],
27+
"source": [
28+
"from azureml.core import Workspace"
29+
]
30+
},
31+
{
32+
"cell_type": "markdown",
33+
"metadata": {},
34+
"source": [
35+
"### Interactive Authentication\n",
36+
"\n",
37+
"Interactive authentication is the default mode when using Azure ML SDK.\n",
38+
"\n",
39+
"When you connect to your workspace using workspace.from_config, you will get an interactive login dialog."
40+
]
41+
},
42+
{
43+
"cell_type": "code",
44+
"execution_count": null,
45+
"metadata": {},
46+
"outputs": [],
47+
"source": [
48+
"ws = Workspace.from_config()"
49+
]
50+
},
51+
{
52+
"cell_type": "markdown",
53+
"metadata": {},
54+
"source": [
55+
"Also, if you explicitly specify the subscription ID, resource group and resource group, you will get the dialog."
56+
]
57+
},
58+
{
59+
"cell_type": "code",
60+
"execution_count": null,
61+
"metadata": {},
62+
"outputs": [],
63+
"source": [
64+
"ws = Workspace(subscription_id=\"my-subscription-id\",\n",
65+
" resource_group=\"my-ml-rg\",\n",
66+
" workspace_name=\"my-ml-workspace\")"
67+
]
68+
},
69+
{
70+
"cell_type": "markdown",
71+
"metadata": {},
72+
"source": [
73+
"Note the user you're authenticated as must have access to the subscription and resource group. If you receive an error\n",
74+
"\n",
75+
"```\n",
76+
"AuthenticationException: You don't have access to xxxxxx-xxxx-xxx-xxx-xxxxxxxxxx subscription. All the subscriptions that you have access to = ...\n",
77+
"```\n",
78+
"\n",
79+
"check that the you used correct login and entered the correct subscription ID."
80+
]
81+
},
82+
{
83+
"cell_type": "markdown",
84+
"metadata": {},
85+
"source": [
86+
"In some cases, you may see a version of the error message containing text: ```All the subscriptions that you have access to = []```\n",
87+
"\n",
88+
"In such a case, you may have to specify the tenant ID of the Azure Active Directory you're using. An example would be accessing a subscription as a guest to a tenant that is not your default. You specify the tenant by explicitly instantiating _InteractiveLoginAuthentication_ with tenant ID as argument ([see instructions how to obtain tenant Id](#get-tenant-id))."
89+
]
90+
},
91+
{
92+
"cell_type": "code",
93+
"execution_count": null,
94+
"metadata": {},
95+
"outputs": [],
96+
"source": [
97+
"from azureml.core.authentication import InteractiveLoginAuthentication\n",
98+
"\n",
99+
"interactive_auth = InteractiveLoginAuthentication(tenant_id=\"my-tenant-id\")\n",
100+
"\n",
101+
"ws = Workspace(subscription_id=\"my-subscription-id\",\n",
102+
" resource_group=\"my-ml-rg\",\n",
103+
" workspace_name=\"my-ml-workspace\",\n",
104+
" auth=interactive_auth)"
105+
]
106+
},
107+
{
108+
"cell_type": "markdown",
109+
"metadata": {},
110+
"source": [
111+
"### Azure CLI Authentication\n",
112+
"\n",
113+
"If you have installed azure-cli package, and used ```az login``` command to log in to your Azure Subscription, you can use _AzureCliAuthentication_ class.\n",
114+
"\n",
115+
"Note that interactive authentication described above won't use existing Azure CLI auth tokens. "
116+
]
117+
},
118+
{
119+
"cell_type": "code",
120+
"execution_count": null,
121+
"metadata": {},
122+
"outputs": [],
123+
"source": [
124+
"from azureml.core.authentication import AzureCliAuthentication\n",
125+
"\n",
126+
"cli_auth = AzureCliAuthentication()\n",
127+
"\n",
128+
"ws = Workspace(subscription_id=\"my-subscription-id\",\n",
129+
" resource_group=\"my-ml-rg\",\n",
130+
" workspace_name=\"my-ml-workspace\",\n",
131+
" auth=cli_auth)\n",
132+
"\n",
133+
"print(\"Found workspace {} at location {}\".format(ws.name, ws.location))"
134+
]
135+
},
136+
{
137+
"cell_type": "markdown",
138+
"metadata": {},
139+
"source": [
140+
"### Service Principal Authentication\n",
141+
"\n",
142+
"When setting up a machine learning workflow as an automated process, we recommend using Service Principal Authentication. This approach decouples the authentication from any specific user login, and allows managed access control.\n",
143+
"\n",
144+
"Note that you must have administrator privileges over the Azure subscription to complete these steps.\n",
145+
"\n",
146+
"The first step is to create a service principal. First, go to [Azure Portal](https://portal.azure.com), select **Azure Active Directory** and **App Registrations**. Then select **+New application registration**, give your service principal a name, for example _my-svc-principal_. You can leave application type as is, and specify a dummy value for Sign-on URL, such as _https://invalid_.\n",
147+
"\n",
148+
"Then click **Create**.\n",
149+
"\n",
150+
"![service principal creation]<img src=\"images/svc-pr-1.PNG\">"
151+
]
152+
},
153+
{
154+
"cell_type": "markdown",
155+
"metadata": {},
156+
"source": [
157+
"The next step is to obtain the _Application ID_ (also called username) and create _password_ for the service principal.\n",
158+
"\n",
159+
"From the page for your newly created service principal, copy the _Application ID_. Then select **Settings** and **Keys**, write a description for your key, and select duration. Then click **Save**, and copy the _password_ to a secure location.\n",
160+
"\n",
161+
"![application id and password](images/svc-pr-2.PNG)"
162+
]
163+
},
164+
{
165+
"cell_type": "markdown",
166+
"metadata": {},
167+
"source": [
168+
"<a id =\"get-tenant-id\"></a>\n",
169+
"\n",
170+
"Also, you need to obtain the tenant ID of your Azure subscription. Go back to **Azure Active Directory**, select **Properties** and copy _Directory ID_.\n",
171+
"\n",
172+
"![tenant id](images/svc-pr-3.PNG)"
173+
]
174+
},
175+
{
176+
"cell_type": "markdown",
177+
"metadata": {},
178+
"source": [
179+
"Finally, you need to give the service principal permissions to access your workspace. Navigate to **Resource Groups**, to the resource group for your Machine Learning Workspace. \n",
180+
"\n",
181+
"Then select **Access Control (IAM)** and **Add a role assignment**. For _Role_, specify which level of access you need to grant, for example _Contributor_. Start entering your service principal name and once it is found, select it, and click **Save**.\n",
182+
"\n",
183+
"![add role](images/svc-pr-4.PNG)"
184+
]
185+
},
186+
{
187+
"cell_type": "markdown",
188+
"metadata": {},
189+
"source": [
190+
"Now you are ready to use the service principal authentication. For example, to connect to your Workspace, see code below and enter your own values for tenant ID, application ID, subscription ID, resource group and workspace.\n",
191+
"\n",
192+
"**We strongly recommended that you do not insert the secret password to code**. Instead, you can use environment variables to pass it to your code, for example through Azure Key Vault, or through secret build variables in Azure DevOps. For local testing, you can for example use following PowerShell command to set the environment variable.\n",
193+
"\n",
194+
"```\n",
195+
"$env:AZUREML_PASSWORD = \"my-password\"\n",
196+
"```"
197+
]
198+
},
199+
{
200+
"cell_type": "code",
201+
"execution_count": null,
202+
"metadata": {},
203+
"outputs": [],
204+
"source": [
205+
"import os\n",
206+
"from azureml.core.authentication import ServicePrincipalAuthentication\n",
207+
"\n",
208+
"svc_pr_password = os.environ.get(\"AZUREML_PASSWORD\")\n",
209+
"\n",
210+
"svc_pr = ServicePrincipalAuthentication(\n",
211+
" tenant_id=\"my-tenant-id\",\n",
212+
" service_principal_id=\"my-application-id\",\n",
213+
" service_principal_password=svc_pr_password)\n",
214+
"\n",
215+
"\n",
216+
"ws = Workspace(\n",
217+
" subscription_id=\"my-subscription-id\",\n",
218+
" resource_group=\"my-ml-rg\",\n",
219+
" workspace_name=\"my-ml-workspace\",\n",
220+
" auth=svc_pr\n",
221+
" )\n",
222+
"\n",
223+
"print(\"Found workspace {} at location {}\".format(ws.name, ws.location))"
224+
]
225+
}
226+
],
227+
"metadata": {
228+
"authors": [
229+
{
230+
"name": "roastala"
231+
}
232+
],
233+
"kernelspec": {
234+
"display_name": "Python 3.6",
235+
"language": "python",
236+
"name": "python36"
237+
},
238+
"language_info": {
239+
"codemirror_mode": {
240+
"name": "ipython",
241+
"version": 3
242+
},
243+
"file_extension": ".py",
244+
"mimetype": "text/x-python",
245+
"name": "python",
246+
"nbconvert_exporter": "python",
247+
"pygments_lexer": "ipython3",
248+
"version": "3.6.5"
249+
}
250+
},
251+
"nbformat": 4,
252+
"nbformat_minor": 2
253+
}

how-to-use-azureml/manage-azureml-service/authentication-in-azureml/images/svc-pr-1.PNG

37.2 KB
Loading

how-to-use-azureml/manage-azureml-service/authentication-in-azureml/images/svc-pr-2.PNG

67.6 KB
Loading

how-to-use-azureml/manage-azureml-service/authentication-in-azureml/images/svc-pr-3.PNG

66.6 KB
Loading

how-to-use-azureml/manage-azureml-service/authentication-in-azureml/images/svc-pr-4.PNG

121 KB
Loading

0 commit comments

Comments
 (0)