Share via

ACL rules issue when invoking batch endpoint

BRIZOLLA DE CARVALHO Matheus 10 Reputation points
2024-06-28T10:39:32.7133333+00:00

Hi,

Lately, I've been facing an issue when I try to invoke my batch endpoint independently the place I'm using.

The things I've done:

  • Used Azure Function
  • Used ADF Web activity
  • Requested locally

I have granted the AzureML Data Scientist role and even the Owner role to the managed identity my resources were using. Also, the same managed identity was assigned to the batch cluster I have created.

In every attempt I had the following error:

Error: 403. Access to this resource is denied. Please check your ACL rules on the resource.

When I invoke the batch endpoint within my ML notebook, that works.

Below the code I'm using


url = 'https://<batch_endpoint_name>.westeurope.inference.ml.azure.com/jobs'
token = <bearer_token>
headers = {
    'Authorization': f'Bearer {token}',
    'Content-Type': 'application/json'
}
data = {
    'input_1': 'azureml:<data_asset>:1',
    'input_2': 'azureml:<data_asset>:1'
}

response = requests.post(url, headers=headers, data=json.dumps(data))

What am I missing to achieve it?

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
2,723 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. YutongTie-MSFT 48,581 Reputation points
    2024-06-30T02:55:54.4433333+00:00

    Hello

    Thanks for reaching out to us. I see you confirmed that you have provided the right role, could you please also confirm have you provided the right authentication to Batch endpoint as this document guidance -

    https://learn.microsoft.com/en-us/azure/machine-learning/how-to-authenticate-batch-endpoint?view=azureml-api-2&tabs=cli

    Especially this part -

    Batch Endpoints exposes a durable API consumers can use to generate jobs. The invoker request proper permission to be able to generate those jobs. You can either use one of the built-in security roles or you can create a custom role for the purposes. To successfully invoke a batch endpoint you need the following explicit actions granted to the identity used to invoke the endpoints. See Steps to assign an Azure role for instructions to assign them. J

      "actions": [
    "Microsoft.MachineLearningServices/workspaces/read",
    "Microsoft.MachineLearningServices/workspaces/data/versions/write",
    "Microsoft.MachineLearningServices/workspaces/datasets/registered/read",
    "Microsoft.MachineLearningServices/workspaces/datasets/registered/write",
    "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/read",
    "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/write",
    "Microsoft.MachineLearningServices/workspaces/datastores/read",
    "Microsoft.MachineLearningServices/workspaces/datastores/write",
    "Microsoft.MachineLearningServices/workspaces/datastores/listsecrets/action",
    "Microsoft.MachineLearningServices/workspaces/listStorageAccountKeys/action",
    "Microsoft.MachineLearningServices/workspaces/batchEndpoints/read",
    "Microsoft.MachineLearningServices/workspaces/batchEndpoints/write",
    "Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/read",
    "Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/write",
    "Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/jobs/write",
    "Microsoft.MachineLearningServices/workspaces/batchEndpoints/jobs/write",
    "Microsoft.MachineLearningServices/workspaces/computes/read",
    "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
    "Microsoft.MachineLearningServices/workspaces/metadata/secrets/read",
    "Microsoft.MachineLearningServices/workspaces/metadata/snapshots/read",
    "Microsoft.MachineLearningServices/workspaces/metadata/artifacts/read",
    "Microsoft.MachineLearningServices/workspaces/metadata/artifacts/write",
    "Microsoft.MachineLearningServices/workspaces/experiments/read",
    "Microsoft.MachineLearningServices/workspaces/experiments/runs/submit/action",
    "Microsoft.MachineLearningServices/workspaces/experiments/runs/read",
    "Microsoft.MachineLearningServices/workspaces/experiments/runs/write",
    "Microsoft.MachineLearningServices/workspaces/metrics/resource/write",
    "Microsoft.MachineLearningServices/workspaces/modules/read",
    "Microsoft.MachineLearningServices/workspaces/models/read",
    "Microsoft.MachineLearningServices/workspaces/endpoints/pipelines/read",
    "Microsoft.MachineLearningServices/workspaces/endpoints/pipelines/write",
    "Microsoft.MachineLearningServices/workspaces/environments/read",
    "Microsoft.MachineLearningServices/workspaces/environments/write",
    "Microsoft.MachineLearningServices/workspaces/environments/build/action",
    "Microsoft.MachineLearningServices/workspaces/environments/readSecrets/action"
]

    If yes, could you please implement below code to see where is the error ? Please change it according to your environment - 

    import requests
import json
url = 'https://<batch_endpoint_name>.westeurope.inference.ml.azure.com/jobs'
bearer_token = '<your_bearer_token>'
headers = {
    'Authorization': f'Bearer {bearer_token}',
    'Content-Type': 'application/json'
}
data = {
    'input_1': 'azureml:<data_asset>:1',
    'input_2': 'azureml:<data_asset>:1'
}
try:
    response = requests.post(url, headers=headers, data=json.dumps(data))
    response.raise_for_status()  # Raise error for non-2xx responses
    print("Batch job submission successful:", response.json())
except requests.exceptions.HTTPError as err:
    print(f"HTTP error occurred: {err}")
except Exception as err:
    print(f"Error occurred: {err}")

    Please let us know how it works, thanks! I hope this helps.

    Regards,

    Yutong

    -Please kindly accept the answer if you feel helpful to support the community, thanks a lot.