Create an Azure Machine Learning service workspace (CMK)
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry.
This configuration describes the set of resources required to:
- (prerequisite) Create and configure an Azure Key vault resource to host an encryption key for Azure Machine Learning.
- Create an Azure Machine Learning workspace and dependent resources, and configure it for encryption with the above encryption key.
When using a customer-managed key, Azure Machine Learning creates a secondary resource group in your subscription which contains a Cosmos DB resource, an Azure Storage resource, and Azure Search resource. For more information, see encryption at rest - Cosmos DB.
Resources
Provider and type | Description |
---|---|
Microsoft.Insights/components |
An Azure Application Insights instance associated to the Azure Machine Learning workspace |
Microsoft.KeyVault/vaults |
An Azure Key Vault instance associated to the Azure Machine Learning workspace |
Microsoft.Storage/storageAccounts |
An Azure Storage instance associated to the Azure Machine Learning workspace |
Microsoft.ContainerRegistry/registries |
An Azure Container Registry instance associated to the Azure Machine Learning workspace |
Microsoft.MachineLearningServices/workspaces |
An Azure Machine Learning workspace instance |
Variables
Name | Description |
---|---|
name | Name of the deployment |
environment | The prefix to add to resource names e.g. dev / test / prod. |
location | The Azure region to use for deployments. |
hbi_workspace | Specifies whether to reduce telemetry collection and enable additional encryption. |
encryption_status | Specifies if the Azure Machine Learning workspace should be encrypted with a customer managed key. |
cmk_keyvault | The Resource ID of an existing Azure Key Vault. This Key vault must contain an encryption key, which is used for encryption |
cmk_keyvault_key_uri | The URI of the encryption key stored in the key vault. |
Prerequisites
Before using this template, you must meet the following requirements:
- The Azure Machine Learning service principal must have contributor access to your Azure subscription.
- You must have an existing Azure Key Vault that contains an encryption key.
- The Azure Key Vault must exist in the same Azure region where you will create the Azure Machine Learning workspace.
- You must have an access policy in Azure Key Vault that grants get, wrap, and unwrap access to the Azure Cosmos DB application.
To add the Azure Machine Learning service principal as a contributor to your subscription, you can use the following steps in the Azure CLI or PowerShell for automation. Alternatively complete the steps via the Azure Portal.
Add Azure Machine Learning as a contributor
- Use the Azure CLI or Azure PowerShell to authenticate to get your subscription ID:
Azure CLI:
az account list --query '[].[name,id]' --output tsv
PowerShell:
Get-AzSubscription
From the list of subscriptions, select the one you want to use and copy the subscription ID and save the ID for the Azure Machine Learning
entry.
- Get the object ID of the
Azure Machine Learning
service principal.
Azure CLI:
az ad sp list --display-name "Azure Machine Learning" --query '[].[appDisplayName,objectId]' --output tsv
PowerShell:
Get-AzADServicePrincipal --DisplayName "Azure Machine Learning" | select-object DisplayName, Id
- To add the service principal as a contributor to your subscription, use one of the following commands. Replace the
<subscription-ID>
with your subscription ID and<object-ID>
with the ID for the service principal:
Azure CLI:
az role assignment create --role 'Contributor' --assignee-object-id <object-ID> --subscription <subscription-ID>
PowerShell:
New-AzRoleAssignment --ObjectId <object-ID> --RoleDefinitionName "Contributor" -Scope /subscriptions/<subscription-ID>
Add a key for encryption
To generate a key in an existing Azure Key Vault, you can use the prereq template or complete the steps manually in the Azure Portal.
Enable customer-managed keys for Azure Cosmos DB
See data encryption section of Enterprise Security for Azure Machine Learning and Configure customer-managed keys for your AzureCosmos account.
Add an access policy to the key vault
To add an access policy for Azure Cosmos DB to the key vault, use the following steps:
- Get the object ID of the
Azure Cosmos DB
service principal, and save the ID for theAzure Cosmos DB
entry.
Azure CLI
az ad sp list --display-name "Azure Cosmos DB" --query '[].[appDisplayName,objectId]' --output tsv
PowerShell
Get-AzADServicePrincipal --DisplayName "Azure Cosmos DB" | select-object DisplayName, Id
- To set the policy, use the following command. Replace
<keyvault-name>
with the name of the key vault. Replace<object-ID>
with the ID for the service principal:
Azure CLI:
az keyvault set-policy --name <keyvault-name> --object-id <object-ID> --key-permissions get unwrapKey wrapKey
PowerShell:
Set-AzKeyVaultAccessPolicy -VaultName <keyvault-name> -ObjectId <object-ID> -PermissionsToKeys get, unwrapKey, wrapKey
Look up cmk_keyvault and cmk_keyvault_key_uri
Use the below command to find the required value for the cmk_keyvault
template parameter.The value is an Azure Resource Manager resource id of the following format: /subscriptions/<subscripiton id>/resourceGroup/<rg name>/providers/Microsoft.KeyVault/vaults/<keyvault-name>
.
Azure CLI:
az keyvault show --name <keyvault-name>
PowerShell:
Get-AzKeyVault -VaultName '<keyvault-name>'
Use the below command to find the required value for the cmk_keyvault_key_uri
template parameter. The property kid
represents the cmk_keyvault_key_uri, and has the following resource naming: https://<keyvault-name>.vault.azure.net/keys/<key-name>/<key-version>
.
az keyvault key show --vault-name <keyvault-name> --name <key-name>
PowerShell:
Get-AzureKeyVaultKey -VaultName '<keyvault-name>' -KeyName '<key-name>'
Use these parameters as input to the workspace deployment template.
Learn more
If you are new to Azure Machine Learning, see:
- Azure Machine Learning service
- Azure Machine Learning documentation
- Enterprise security and governance for Azure Machine Learning.
- Azure Machine Learning template reference
To learn about encryption with Azure Machine Learning, see:
If you are new to template development, see:
- Azure Resource Manager documentation
- Use an Azure Resource Manager template to create a workspace for Azure Machine Learning
- Quickstart templates
Tags: Microsoft.Storage/storageAccounts, Microsoft.KeyVault/vaults, Microsoft.Insights/components, Microsoft.ContainerRegistry/registries, Microsoft.MachineLearningServices/workspaces, systemAssigned, Microsoft.KeyVault/vaults/keys