Open wojciech-jakubowski opened 1 year ago
Even with this new property, you would not be able to disable key access on the connected storage account. Azure ML relies on Azure Files and uses the storage account key for mounting the file share when using compute instances. This property just ensures that the default datastores (e.g. workspaceartifactstore
, workspaceblobstore
) use identity-based auth.
Yes, that is true. The networking design of AzureML is unfortunate in some places. I'd really like to get rid of storage account keys where I can.
I fully understand the need to disable key based auth on all storage accounts. This is not an Azure ML related issue but more a limit of Azure Files which Azure ML depends on for some scenarios.
Is there an existing issue for this?
Community Note
Description
As of ARM API version 2022-12-01-preview AzureML has support for connecting to workspace storage account based on workspace's managed identity instead of account key.
On Azure portal UI they call this setting Storage account access type. Under the hood its controlled by ARM json property called: systemDatastoresAuthMode (https://learn.microsoft.com/en-us/azure/templates/microsoft.machinelearningservices/2022-12-01-preview/workspaces?pivots=deployment-language-terraform#workspaceproperties-2).
It would be nice to have support for this in AzureRM provider in azurerm_machine_learning_workspace, so it would be possible to disable SA key usage (which is not very secure).
New or Affected Resource(s)/Data Source(s)
azurerm_machine_learning_workspace
Potential Terraform Configuration
References
No response