Run fbprophet from ADX without SAS keys

SEYNAEVE Gerdy (SGI/MST) 1 Reputation point

I have been trying our this example - trying to run fbprophet within Adx as documented here :

We are not allowed to use SAS keys to connect different components, and have to rely on managed identities

So I proceeded as follows :

  • enabled the python plugin (3.6.5) on the cluster
  • created a blob storage account & uploaded the fbprophet zip file
  • changed the function to use the storage account see below)
  • Gave the ADX system managed identity access to the storage account (blob storage contributor)
     | evaluate python(typeof(*), code, kwargs,
 external_artifacts=bag_pack('', 'https://<mystorageaccountname>'))

  • Added a callout policy for the managed identity - query in kusto
.alter-merge database db policy managed_identity ```
    "ObjectId": "<managed identity of the Adx cluster>",
    "AllowedUsages": "SandboxArtifacts"

- I also have the following callout policy 

    "CalloutType": "sandbox_artifacts",
    "CalloutUriRegex": "<mystorageaccountname>\\.blob\\.core\\.windows\\.net/fbprophet/",
    "CanCall": true

When I try to run the forecasting algorithm, I get the following error :

Details=Access to persistent storage path 'https://<mystorageaccountname>' was denied (operation 'BlobPersistentStorageFile.DownloadToFileAsync')

Any ideas if something is still missing ?

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
497 questions
{count} votes

2 answers

Sort by: Most helpful
  1. QuantumCache 20,106 Reputation points

    Hello @SEYNAEVE Gerdy (SGI/MST)

    Check if there are any network restrictions in place that might be blocking the ADX system managed identity from accessing the blob storage account. You can try to access the blob storage account from a different Azure resource (e.g., a VM) using the same managed identity to see if it works?

  2. SEYNAEVE Gerdy (SGI/MST) 1 Reputation point

    Finally found the issue : In case of using manage identities, the connectionstring specifically has to mention to use the system managed_identity

    external_artifacts=bag_pack('', 'https://<storageaccountname>;managed_identity=system'))

    0 comments No comments