Azure Workload Identities
How to authenticate using workload identities instead of user credentials.
Authenticating Using Workload Identities Instead of User Credentials
Workload identities enable you to define a cloud workload that will have access to your Deep Lake organization without authenticating using Deep Lake user tokens. This enables users to manage and define Deep Lake permissions for jobs that many not be attributed to a specific user.
Set up a Workload Identity using the following steps:
- Define an Azure Managed Identity in your cloud
- Attached the Azure Managed Identity to your workload
-
Create a Deep Lake Workload Identity using the Azure Managed Identity
-
Run the workload in Azure
Step 1: Define the workload identity in Azure
-
Navigate to Managed Identities in Azure
-
Click
Create
a Managed Identity -
Select the
Subscription
andResource Group
containing the workload, and give the Managed Identity aName
. ClickReview + Create
.
Step 2: Attached the Azure Managed Identity to your workload
When creating or updating a resource that will serve as the Client running Deep Lake, assign the Managed Identity from Step 1 to this resource.
For example, in Azure Machine Learning Studio, when creating a compute instance, toggle Assign Identity
and select the Managed Identity
from Step 1.
Step 3: Create a Deep Lake Workload Identity using the Azure Managed Identity
Navigate to the Permissions
tab for your organization in the Deep Lake App, locate the Workload Identities
, and select Add
.
Specify a Display Name
, Client ID
(for the Managed Identity), and Tenant ID
. The Client ID
can be found in the main page for the Managed Identity, and the Tenant ID
can be found in Tenant Properties
in Azure. Click Add
.
Step 4: Run the workload
Specify the environmental variables below in the Deep Lake client and run other Deep APIs as normal.
#### THIS IS THE CLIENT_ID FOR THE COMPUTE INSTANCE
#### NOT THE MANAGED IDENTITY
os.environ["AZURE_CLIENT_ID"] = <azure_client_id>
os.environ["ACTIVELOOP_AUTH_PROVIDER"] = "azure"
Specifying the AZURE_CLIENT_ID
is not necessary in some environments because the correct value may automatically be set.
For a compute instance in the Azure Machine Learning Studio, the Client ID can be found in instance settings below: