Authenticate clients for online endpoints

Article
05/21/2024

APPLIES TO: Azure CLI ml extension v2 (current) Python SDK azure-ai-ml v2 (current)

This article covers how to authenticate clients to perform control plane and data plane operations on online endpoints.

A control plane operation controls an endpoint and changes it. Control plane operations include create, read, update, and delete (CRUD) operations on online endpoints and online deployments.

A data plane operation uses data to interact with an online endpoint without changing the endpoint. For example, a data plane operation could consist of sending a scoring request to an online endpoint and getting a response.

Prerequisites

Before following the steps in this article, make sure you have the following prerequisites:

An Azure Machine Learning workspace. If you don't have one, use the steps in the Quickstart: Create workspace resources article to create one.
The Azure CLI and the ml extension or the Azure Machine Learning Python SDK v2:
- To install the Azure CLI and extension, see Install, set up, and use the CLI (v2).
  
  Important
  
  The CLI examples in this article assume that you are using the Bash (or compatible) shell. For example, from a Linux system or Windows Subsystem for Linux.
- To install the Python SDK v2, use the following command:
```
pip install azure-ai-ml azure-identity
```
  To update an existing installation of the SDK to the latest version, use the following command:
```
pip install --upgrade azure-ai-ml azure-identity
```
  For more information, see Install the Python SDK v2 for Azure Machine Learning.

Prepare a user identity

You need a user identity to perform control plane operations (that is, CRUD operations) and data plane operations (that is, send scoring requests) on the online endpoint. You can use the same user identity or different user identities for the control plane and data plane operations. In this article, you use the same user identity for both control plane and data plane operations.

To create a user identity under Microsoft Entra ID, see Set up authentication. You'll need the identity ID later.

Assign permissions to the identity

In this section, you assign permissions to the user identity that you use for interacting with the endpoint. You begin by using either a built-in role or by creating a custom role. Thereafter, you assign the role to your user identity.

Use a built-in role

The AzureML Data Scientist built-in role can be used to manage and use endpoints and deployments and it uses wildcards to include the following control plane RBAC actions:

Microsoft.MachineLearningServices/workspaces/onlineEndpoints/write
Microsoft.MachineLearningServices/workspaces/onlineEndpoints/delete
Microsoft.MachineLearningServices/workspaces/onlineEndpoints/read
Microsoft.MachineLearningServices/workspaces/onlineEndpoints/token/action
Microsoft.MachineLearningServices/workspaces/onlineEndpoints/listKeys/action
Microsoft.MachineLearningServices/workspaces/onlineEndpoints/regenerateKeys/action

and to include the following data plane RBAC action:

Microsoft.MachineLearningServices/workspaces/onlineEndpoints/score/action

Optionally, the Azure Machine Learning Workspace Connection Secrets Reader built-in role can be used to access secrets from workspace connections and it include the following control plane RBAC actions:

Microsoft.MachineLearningServices/workspaces/connections/listsecrets/action
Microsoft.MachineLearningServices/workspaces/metadata/secrets/read

If you use these built-in roles, there's no action needed at this step.

(Optional) Create a custom role

You can skip this step if you're using built-in roles or other pre-made custom roles.

Define the scope and actions for custom roles by creating JSON definitions of the roles. For example, the following role definition allows the user to CRUD an online endpoint, under a specified workspace.

custom-role-for-control-plane.json:

{
    "Name": "Custom role for control plane operations - online endpoint",
    "IsCustom": true,
    "Description": "Can CRUD against online endpoints.",
    "Actions": [
        "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/write",
        "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/delete",
        "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/read",
        "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/token/action",
        "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/listKeys/action",
        "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/regenerateKeys/action"
    ],
    "NotActions": [
    ],
    "AssignableScopes": [
        "/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>"
    ]
}

The following role definition allows the user to send scoring requests to an online endpoint, under a specified workspace.

custom-role-for-scoring.json:

{
    "Name": "Custom role for scoring - online endpoint",
    "IsCustom": true,
    "Description": "Can score against online endpoints.",
    "Actions": [
        "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*/action"
    ],
    "NotActions": [
    ],
    "AssignableScopes": [
        "/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>"
    ]
}

Use the JSON definitions to create custom roles:
```
az role definition create --role-definition custom-role-for-control-plane.json --subscription <subscriptionId>

az role definition create --role-definition custom-role-for-scoring.json --subscription <subscriptionId>
```
Note

To create custom roles, you need one of three roles:
- owner
- user access administrator
- a custom role with Microsoft.Authorization/roleDefinitions/write permission (to create/update/delete custom roles) and Microsoft.Authorization/roleDefinitions/read permission (to view custom roles).
For more information on creating custom roles, see Azure custom roles.

Verify the role definition:

az role definition list --custom-role-only -o table

az role definition list -n "Custom role for control plane operations - online endpoint"
az role definition list -n "Custom role for scoring - online endpoint"

export role_definition_id1=`(az role definition list -n "Custom role for control plane operations - online endpoint" --query "[0].id" | tr -d '"')`

export role_definition_id2=`(az role definition list -n "Custom role for scoring - online endpoint" --query "[0].id" | tr -d '"')`

Assign the role to the identity

If you're using the AzureML Data Scientist built-in role, use the following code to assign the role to your user identity.

az role assignment create --assignee <identityId> --role "AzureML Data Scientist" --scope /subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/Microsoft.MachineLearningServices/workspaces/<workspaceName>

Optionally, if you're using the Azure Machine Learning Workspace Connection Secrets Reader built-in role, use the following code to assign the role to your user identity.

az role assignment create --assignee <identityId> --role "Azure Machine Learning Workspace Connection Secrets Reader" --scope /subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/Microsoft.MachineLearningServices/workspaces/<workspaceName>

If you're using a custom role, use the following code to assign the role to your user identity.

az role assignment create --assignee <identityId> --role "Custom role for control plane operations - online endpoint" --scope /subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/Microsoft.MachineLearningServices/workspaces/<workspaceName>

az role assignment create --assignee <identityId> --role "Custom role for scoring - online endpoint" --scope /subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/Microsoft.MachineLearningServices/workspaces/<workspaceName>

Note

To assign custom roles to the user identity, you need one of three roles:

owner
user access administrator
a custom role that allows Microsoft.Authorization/roleAssignments/write permission (to assign custom roles) and Microsoft.Authorization/roleAssignments/read (to view role assignments).

For more information on the different Azure roles and their permissions, see Azure roles and Assigning Azure roles using Azure Portal.

Confirm the role assignment:

az role assignment list --scope /subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/Microsoft.MachineLearningServices/workspaces/<workspaceName>

Get the Microsoft Entra token for control plane operations

Perform this step if you plan to perform control plane operations with REST API, which will directly use the token.

If you plan to use other ways such as Azure Machine Learning CLI (v2), Python SDK (v2), or the Azure Machine Learning studio, you don't need to get the Microsoft Entra token manually. Rather, during sign in, your user identity would already be authenticated, and the token would automatically be retrieved and passed for you.

You can retrieve the Microsoft Entra token for control plane operations from the Azure resource endpoint: https://management.azure.com.

Sign in to Azure.
```
az login
```
If you want to use a specific identity, use the following code to sign in with the identity:
```
az login --identity --username <identityId>
```

Use this context to get the token.

export CONTROL_PLANE_TOKEN=`(az account get-access-token --resource https://management.azure.com --query accessToken | tr -d '"')`

From an Azure virtual machine

You can acquire the token based on the managed identity for an Azure VM (when the VM enables a managed identity).

To get the Microsoft Entra token (aad_token) for the control plane operation on the Azure VM, submit the request to the Azure Instance Metadata Service (IMDS) endpoint for the Azure resource endpoint management.azure.com:
```
export CONTROL_PLANE_TOKEN=`(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s | jq -r '.access_token' )`
```
Tip

To extract the token from the JSON output, the jq utility is used as an example. However, you can use any suitable tool for this purpose.

For more information on getting tokens based on managed identities, see Get a token using HTTP.

From a compute instance

You can get the token if you're using the Azure Machine Learning workspace's compute instance. To get the token, you must pass the client ID and the secret of the compute instance's managed identity to the managed system identity (MSI) endpoint that is configured locally at the compute instance. You can get the MSI endpoint, client ID, and secret from the environment variables MSI_ENDPOINT, DEFAULT_IDENTITY_CLIENT_ID, and MSI_SECRET, respectively. These variables are set automatically if you enable managed identity for the compute instance.

Get the token for the Azure resource endpoint management.azure.com from the workspace's compute instance:

export CONTROL_PLANE_TOKEN=`(curl $MSI_ENDPOINT'?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F&clientid='$DEFAULT_IDENTITY_CLIENT_ID -H Metadata:true -H Secret:$MSI_SECRET -s | jq -r '.access_token' )`

from azure.identity import DefaultAzureCredential, InteractiveBrowserCredential

try:
    credential = DefaultAzureCredential()
    # Check if given credential can get token successfully.
    access_token = credential.get_token("https://management.azure.com/.default")
    print(access_token)
except Exception as ex:
    # Fall back to InteractiveBrowserCredential in case DefaultAzureCredential not work
    # This will open a browser page for
    credential = InteractiveBrowserCredential()

See Get a token using the Azure identity client library for more information.

(Optional) Verify the resource endpoint and client ID for Microsoft Entra token

After you retrieve the Microsoft Entra token, you can verify that the token is for the right Azure resource endpoint management.azure.com and the right client ID by decoding the token via jwt.ms, which will return a json response with the following information:

{
    "aud": "https://management.azure.com",
    "oid": "<your-object-id>"
}

Create an endpoint

The following example creates the endpoint with a system-assigned identity (SAI) as the endpoint identity. The SAI is the default identity type of the managed identity for endpoints. Some basic roles are automatically assigned for the SAI. For more information on role assignment for a system-assigned identity, see Automatic role assignment for endpoint identity.

The CLI doesn't require you to explicitly provide the control plane token. Instead, the CLI az login authenticates you during sign in, and the token is automatically retrieved and passed for you.

Create an endpoint definition YAML file.

endpoint.yml:

$schema: https://azuremlschemas.azureedge.net/latest/managedOnlineEndpoint.schema.json
name: my-endpoint
auth_mode: aad_token

You can replace auth_mode with key for key auth, or aml_token for Azure Machine Learning token auth. In this example, you use aad_token for Microsoft Entra token auth.
```
az ml online-endpoint create -f endpoint.yml
```

Check the endpoint's status:

az ml online-endpoint show -n my-endpoint

If you want to override auth_mode (for example, to aad_token) when creating an endpoint, run the following code:
```
az ml online-endpoint create -n my-endpoint --auth_mode aad_token
```
If you want to update the existing endpoint and specify auth_mode (for example, to aad_token), run the following code:
```
az ml online-endpoint update -n my-endpoint --set auth_mode=aad_token
```

The REST API call requires you to explicitly provide the control plane token. Use the control plane token you retrieved earlier.

Create or update an endpoint:

export SUBSCRIPTION_ID=<SUBSCRIPTION_ID>
export RESOURCE_GROUP=<RESOURCE_GROUP>
export WORKSPACE=<AML_WORKSPACE_NAME>
export ENDPOINT_NAME=<ENDPOINT_NAME>
export LOCATION=<LOCATION_NAME>
export API_VERSION=2023-04-01

response=$(curl --location --request PUT "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/onlineEndpoints/$ENDPOINT_NAME?api-version=$API_VERSION" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $CONTROL_PLANE_TOKEN" \
--data-raw "{
    \"identity\": {
       \"type\": \"systemAssigned\"
    },
    \"properties\": {
        \"authMode\": \"AADToken\"
    },
    \"location\": \"$LOCATION\"
}")

echo $response

You can replace authMode with key for key auth, or AMLToken for Azure Machine Learning token auth. In this example, you use AADToken for Microsoft Entra token auth.

Get the current status of the online endpoint:

response=$(curl --location --request GET "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/onlineEndpoints/$ENDPOINT_NAME?api-version=$API_VERSION" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $CONTROL_PLANE_TOKEN" \
)

echo $response

Python SDK doesn't require you to explicitly provide the control plane token. Rather, the SDK MLClient authenticates you during sign in, and the token is automatically retrieved and passed for you.

from azure.ai.ml import MLClient
from azure.ai.ml.entities import (
    ManagedOnlineEndpoint,
    ManagedOnlineDeployment,
    Model,
    Environment,
    CodeConfiguration,
)
from azure.identity import DefaultAzureCredential

subscription_id = "<SUBSCRIPTION_ID>"
resource_group = "<RESOURCE_GROUP>"
workspace = "<AML_WORKSPACE_NAME>"

ml_client = MLClient(
    DefaultAzureCredential(), subscription_id, resource_group, workspace
)

endpoint = ManagedOnlineEndpoint(
    name="my-endpoint",
    description="this is a sample online endpoint",
    auth_mode="aad_token",
    tags={"foo": "bar"},
)
ml_client.online_endpoints.begin_create_or_update(endpoint).result()

You can replace auth_mode with key for key auth, or aml_token for Azure Machine Learning token auth. In this example, you use aad_token for Microsoft Entra token auth.

Create a deployment

To create a deployment, see Deploy an ML model with an online endpoint or Use REST to deploy an model as an online endpoint. There's no difference in how you create deployments for different auth modes.

The following code is an example of how to create a deployment. For more information on deploying online endpoints, see Deploy an ML model with an online endpoint (via CLI)

Create a deployment definition YAML file.

blue-deployment.yml:

$schema: https://azuremlschemas.azureedge.net/latest/managedOnlineDeployment.schema.json
name: blue
endpoint_name: my-aad-auth-endp1
model:
  path: ../../model-1/model/
code_configuration:
  code: ../../model-1/onlinescoring/
  scoring_script: score.py
environment: 
  conda_file: ../../model-1/environment/conda.yml
  image: mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.04:latest
instance_type: Standard_DS3_v2
instance_count: 1

Create the deployment using the YAML file. For this example, set all traffic to the new deployment.
```
az ml online-deployment create -f blue-deployment.yml --all-traffic
```

Get the scoring URI for the endpoint

If you plan to use the CLI to invoke the endpoint, you're not required to get the scoring URI explicitly, as the CLI handles it for you. However, you can still use the CLI to get the scoring URI so that you can use it with other channels, such as REST API.

scoringUri=$(az ml online-endpoint show -n my-endpoint --query "scoring_uri")

export SUBSCRIPTION_ID=<SUBSCRIPTION_ID>
export RESOURCE_GROUP=<RESOURCE_GROUP>
export WORKSPACE=<AML_WORKSPACE_NAME>
export ENDPOINT_NAME=<ENDPOINT_NAME>
export API_VERSION=2023-04-01
response=$(curl --location --request GET "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/onlineEndpoints/$ENDPOINT_NAME?api-version=$API_VERSION" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $CONTROL_PLANE_TOKEN")
scoringUri=$(echo $response | jq -r '.properties' | jq -r '.scoringUri')

echo $response
echo $scoringUri

If you plan to use the Python SDK to invoke the endpoint, you're not required to get the scoring URI explicitly, as the SDK handles it for you. However, you can still use the SDK to get the scoring URI so that you can use it with other channels, such as REST API.

scoring_uri = ml_client.online_endpoints.get(name=endpoint_name).scoring_uri

Get the key or token for data plane operations

A key or token can be used for data plane operations, even though the process of getting the key or token is a control plane operation. In other words, you use a control plane token to get the key or token that you later use to perform your data plane operations.

Getting the key or Azure Machine Learning token requires that the correct role is assigned to the user identity that is requesting it, as described in authorization for control plane operations. Getting the Microsoft Entra token doesn't require any extra roles for the user identity.

If you plan to use the CLI to invoke the endpoint, you're not required to get the keys or token for data plane operations explicitly, as the CLI handles it for you. However, you can still use the CLI to get the keys or token for data plane operation so that you can use it with other channels, such as REST API.

To get the keys or token for data plane operations, use the az ml online-endpoint get-credentials command. This command returns a JSON output that contains the keys, token, and/or additional information.

Tip

To extract a specific information from the JSON output, the --query parameter of the CLI command is used as an example. However, you can use any suitable tool for this purpose.

When auth_mode of the endpoint is key

Keys are returned in the primaryKey and secondaryKey fields.

export DATA_PLANE_TOKEN=$(az ml online-endpoint get-credentials -n $ENDPOINT_NAME -g $RESOURCE_GROUP -w $WORKSPACE_NAME -o tsv --query primaryKey)
export DATA_PLANE_TOKEN2=$(az ml online-endpoint get-credentials -n $ENDPOINT_NAME -g $RESOURCE_GROUP -w $WORKSPACE_NAME -o tsv --query secondaryKey)

When auth_mode of the endpoint is aml_token

Token is returned in the accessToken field.
Token expiration time is returned in the expiryTimeUtc field.
Token refresh time is returned in the refreshAfterTimeUtc field.

export DATA_PLANE_TOKEN=$(az ml online-endpoint get-credentials -n $ENDPOINT_NAME -g $RESOURCE_GROUP -w $WORKSPACE_NAME -o tsv --query accessToken)
export EXPIRY_TIME_UTC=$(az ml online-endpoint get-credentials -n $ENDPOINT_NAME -g $RESOURCE_GROUP -w $WORKSPACE_NAME -o tsv --query expiryTimeUtc)
export REFRESH_AFTER_TIME_UTC=$(az ml online-endpoint get-credentials -n $ENDPOINT_NAME -g $RESOURCE_GROUP -w $WORKSPACE_NAME -o tsv --query refreshAfterTimeUtc)

When auth_mode of the endpoint is aad_token

Token is returned in the accessToken field.
Token expiration time is returned in the expiryTimeUtc field.

export DATA_PLANE_TOKEN=$(az ml online-endpoint get-credentials -n $ENDPOINT_NAME -g $RESOURCE_GROUP -w $WORKSPACE_NAME -o tsv --query accessToken)
export EXPIRY_TIME_UTC=$(az ml online-endpoint get-credentials -n $ENDPOINT_NAME -g $RESOURCE_GROUP -w $WORKSPACE_NAME -o tsv --query expiryTimeUtc)

To get the keys or token for data plane operations, choose the right API, depending on the auth_mode of the endpoint. The API returns a JSON output that includes the keys and token.

Tip

The jq utility is used to demonstrate how to extract a specific information from the JSON output. However, you can use any suitable tool for this purpose.

When auth_mode of the endpoint is key

Use the listkeys API.
Keys are returned in the primaryKey and secondaryKey fields.

response=$(curl -H "Content-Length: 0" --location --request POST "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/onlineEndpoints/$ENDPOINT_NAME/listkeys?api-version=$API_VERSION" \
--header "Authorization: Bearer $CONTROL_PLANE_TOKEN")

export DATA_PLANE_TOKEN=$(echo $response | jq -r '.primaryKey')

When auth_mode of the endpoint is aml_token

Use the token API.
Token is returned in the accessToken field.
Token expiration time is returned in the expiryTimeUtc field
Token refresh time is returned in the refreshAfterTimeUtc field

response=$(curl -H "Content-Length: 0" --location --request POST "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/onlineEndpoints/$ENDPOINT_NAME/token?api-version=$API_VERSION" \
--header "Authorization: Bearer $CONTROL_PLANE_TOKEN")

export DATA_PLANE_TOKEN=$(echo $response | jq -r '.accessToken')
export EXPIRY_TIME_UTC=$(echo $response | jq -r '.expiryTimeUtc')
export REFRESH_AFTER_TIME_UTC=$(echo $response | jq -r '.refreshAfterTimeUtc')

When auth_mode of the endpoint is aad_token

Use IMDS endpoint or MSI endpoint, depending on where you request for the token.
Token is returned in the accessToken field.
Token expiration time is returned in the expiryTimeUtc field

From an Azure virtual machine

You can acquire the token based on the managed identities for an Azure VM (when the VM enables a managed identity).

To get the Microsoft Entra token (aad_token) for the data plane operation on the Azure VM with managed identity, submit the request to the Azure Instance Metadata Service (IMDS) endpoint for the Azure resource endpoint ml.azure.com:

export DATA_PLANE_TOKEN=`(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fml.azure.com%2F' -H Metadata:true -s | jq -r '.access_token' )`
export EXPIRY_TIME_UTC=`(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fml.azure.com%2F' -H Metadata:true -s | jq -r '.expiryTimeUtc' )`

For more information on getting tokens based on managed identities, see Get a token using HTTP.

From a compute instance

Get the token for the Azure resource endpoint ml.azure.com from the workspace's compute instance:

export DATA_PLANE_TOKEN=`(curl $MSI_ENDPOINT'?api-version=2018-02-01&resource=https%3A%2F%2Fml.azure.com%2F&clientid='$DEFAULT_IDENTITY_CLIENT_ID -H Metadata:true -H Secret:$MSI_SECRET -s | jq -r '.access_token' )`
export EXPIRY_TIME_UTC=`(curl $MSI_ENDPOINT'?api-version=2018-02-01&resource=https%3A%2F%2Fml.azure.com%2F&clientid='$DEFAULT_IDENTITY_CLIENT_ID -H Metadata:true -H Secret:$MSI_SECRET -s | jq -r '.expiryTimeUtc' )`

Important

Unlike the Microsoft Entra token for control plane operations, which is retrieved from management.azure.com, the Microsoft Entra token for data plane operations is retrieved from the Azure resource endpoint ml.azure.com.

If you plan to use the SDK to invoke the endpoint, you're not required to get the keys or token for data plane operations explicitly, as the SDK handles it for you. However, you can still use the SDK to get the keys or token for data plane operations so that you can use it with other channels, such as REST API.

To get the keys or token for data plane operations, use the get_keys method in the OnlineEndpointOperations class. This method returns an object that includes keys and token.

When auth_mode of the endpoint is key

Keys are returned in the primary_key and secondary_key fields.

DATA_PLANE_TOKEN = ml_client.online_endpoints.get_keys(name=endpoint_name).primary_key
DATA_PLANE_TOKEN2 = ml_client.online_endpoints.get_keys(name=endpoint_name).secondary_key

When auth_mode of the endpoint is aml_token

Token is returned in the access_token field.
Token expiration time is returned in the expiry_time_utc field.
Token refresh time is returned in the refresh_after_time_utc field.

DATA_PLANE_TOKEN = ml_client.online_endpoints.get_keys(name=endpoint_name).access_token
EXPIRY_TIME_UTC = ml_client.online_endpoints.get_keys(name=endpoint_name).expiry_time_utc
REFRESH_AFTER_TIME_UTC = ml_client.online_endpoints.get_keys(name=endpoint_name).refresh_after_time_utc

When auth_mode of the endpoint is aad_token

Token is returned in the access_token field.
Token expiration time is returned in the expiry_time_utc field.

DATA_PLANE_TOKEN = ml_client.online_endpoints.get_keys(name=endpoint_name).access_token
EXPIRY_TIME_UTC = ml_client.online_endpoints.get_keys(name=endpoint_name).expiry_time_utc

See Get a token using the Azure identity client library for more information.

Verify the resource endpoint and client ID for the Microsoft Entra token

After getting the Entra token, you can verify that the token is for the right Azure resource endpoint ml.azure.com and the right client ID by decoding the token via jwt.ms, which will return a json response with the following information:

{
    "aud": "https://ml.azure.com",
    "oid": "<your-object-id>"
}

Score data using the key or token

You can use az ml online-endpoint invoke for endpoints with a key, an Azure Machine Learning token, or a Microsoft Entra token. The CLI handles the key or token automatically so you don't need to pass it explicitly.

az ml online-endpoint invoke -n my-endpoint -r request.json

When invoking the online endpoint for scoring, pass the key, Azure Machine Learning token, or Microsoft Entra token in the authorization header. The following code shows how to use the curl utility to call the online endpoint using a key or token:

curl --request POST "$scoringUri" --header "Authorization: Bearer $DATA_PLANE_TOKEN" --header 'Content-Type: application/json' --data @endpoints/online/model-1/sample-request.json

Azure Machine Learning SDK using ml_client.online_endpoints.invoke() is supported for key, Azure Machine Learning token, and Microsoft Entra token. In addition to using Azure Machine Learning SDK, you can also use a generic Python SDK to send the POST request to the scoring URI.

When calling the online endpoint for scoring, pass the key or token in the authorization header. The following code shows how to call the online endpoint using a key or token with a generic Python SDK. In the code, replace the api_key variable with your key or token.

import urllib.request
import json
import os

data = {"data": [
    [1,2,3,4,5,6,7,8,9,10], 
    [10,9,8,7,6,5,4,3,2,1]
]}

body = str.encode(json.dumps(data))

url = '<scoring URI as retrieved earlier>'
api_key = '<key or token as retrieved earlier>'
headers = {'Content-Type':'application/json', 'Authorization':('Bearer '+ api_key)}

req = urllib.request.Request(url, body, headers)

try:
    response = urllib.request.urlopen(req)

    result = response.read()
    print(result)
except urllib.error.HTTPError as error:
    print("The request failed with status code: " + str(error.code))

    # Print the headers - they include the requert ID and the timestamp, which are useful for debugging the failure
    print(error.info())
    print(error.read().decode("utf8", 'ignore'))

Log and monitor traffic

To enable traffic logging in the diagnostics settings for the endpoint, follow the steps in How to enable/disable logs.

If the diagnostic setting is enabled, you can check the AmlOnlineEndpointTrafficLogs table to see the auth mode and user identity.

Share via

Authenticate clients for online endpoints

Prerequisites

Prepare a user identity

Assign permissions to the identity

Use a built-in role

(Optional) Create a custom role

Assign the role to the identity

Get the Microsoft Entra token for control plane operations

(Optional) Verify the resource endpoint and client ID for Microsoft Entra token

Create an endpoint

Create a deployment

Get the scoring URI for the endpoint

Get the key or token for data plane operations

Verify the resource endpoint and client ID for the Microsoft Entra token

Score data using the key or token

Key or Azure Machine Learning token

Log and monitor traffic

Feedback

Additional resources

Share via

Authenticate clients for online endpoints

Prerequisites

Prepare a user identity

Assign permissions to the identity

Use a built-in role

(Optional) Create a custom role

Assign the role to the identity

Get the Microsoft Entra token for control plane operations

(Optional) Verify the resource endpoint and client ID for Microsoft Entra token

Create an endpoint

Create a deployment

Get the scoring URI for the endpoint

Get the key or token for data plane operations

Verify the resource endpoint and client ID for the Microsoft Entra token

Score data using the key or token

Log and monitor traffic

Related content

Feedback

Additional resources