-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_machine_learning_datastore_blobstorage throws error when using service_data_auth_identity meta argument #21443
Comments
@VickyWinner thanks for opening this issue. In fact, one of |
@sinbai, we don't want to rely on account_key or sas key at all. I am assuming that if I use |
@sinbai I've reopened this issue, would you mind taking another look at this one, as @VickyWinner has mentioned, it should be possible to use a System Assigned Identity for this purpose? |
@tombuildsstuff any update here? It's very annoying issue, especially that resource for DFS is working normally :( |
@VickyWinner have you found a solution for your bug besides using account key or sas? I have stumbled upon the same bug. SystemAssignedIdentity should be possible for Datastore registration or creation. Can you take another look on this please @tombuildsstuff and @sinbai? |
@tombuildsstuff , @VickyWinner , @sinbai There is more to this --- |
Shared key access is discouraged for stronger security as documented here. Entra ID is the preferred method of access secure storage accounts. AzureML allows this with the option of not storing credentials with a datastore. This document shows scenarios including those with "No Credential" on the datastore where uses the user's identity or the workspace's managed service identity. This applies to all datastores including the workspace's default datastore. You can also see this behavior in the AzureML UI tooltip on the credential saving toggle in the datastore's authentication settings: On the Azure portal when creating a new AzureML workspace it provides an option to use identity access by for the initially created default datastore and also has an extra checkbox to disable shared key access from the start. As far as I can tell when the option to use "identity-based access" sets up the default This leads me to believe that it is valid to not include an access key or sas token when creating an AzureML blob storage datastore and the Terraform provider should allow this. When that configuration is applied it by default uses identity based access. The user must still configure their identities to get data preview, notebooks, and other features that require access to the data from the portal but I don't believe that needs to be enforced in the provider. It would be greatly appreciated if we could have this restriction removed from this provider so that it can be used for AzureML workspaces that must adhere to certain security standards. |
Is there an existing issue for this?
Community Note
Terraform Version
Terraform v1.0.4
AzureRM Provider Version
provider registry.terraform.io/hashicorp/azurerm v3.52.0
Affected Resource(s)/Data Source(s)
azurerm_machine_learning_datastore_blobstorage
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
blobstore registered.
Actual Behaviour
terraform plan erroring out
Steps to Reproduce
use the block fromabove
Important Factoids
No response
References
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/machine_learning_datastore_blobstorage
The text was updated successfully, but these errors were encountered: