重新生成存储帐户访问密钥Regenerate storage account access keys

适用于:是基本版是企业版               (升级到企业版APPLIES TO: yesBasic edition yesEnterprise edition                    (Upgrade to Enterprise edition)

了解如何更改 Azure 机器学习使用的 Azure 存储帐户的访问密钥。Learn how to change the access keys for Azure Storage accounts used by Azure Machine Learning. Azure 机器学习可以使用存储帐户来存储数据或训练后的模型。Azure Machine Learning can use storage accounts to store data or trained models.

出于安全考虑,你可能需要更改 Azure 存储帐户的访问密钥。For security purposes, you may need to change the access keys for an Azure Storage account. 重新生成访问密钥时,必须更新 Azure 机器学习以使用新密钥。When you regenerate the access key, Azure Machine Learning must be updated to use the new key. Azure 机器学习可以将存储帐户同时用作模型存储和数据存储。Azure Machine Learning may be using the storage account for both model storage and as a datastore.

重要

注册到数据存储的凭据会保存在与工作区关联的 Azure Key Vault 库中。Credentials registred with datastores are saved in your Azure Key Vault associated with the workspace. 如果已为 Key Vault 启用了软删除,请务必按照本文中的步骤更新凭据。If you have soft-delete enabled for your Key Vault, make sure to follow this article for updating credentials. 取消注册数据存储并使用相同的名称重新注册将失败。Unregistering the datastore and re-registering it under the same name will fail.

先决条件Prerequisites

备注

本文档中的代码片段已使用 Python SDK 版本 1.0.83 进行测试。The code snippets in this document were tested with version 1.0.83 of the Python SDK.

需要更新的内容What needs to be updated

存储帐户可由 Azure 机器学习工作区使用(用来存储日志、模型、快照等),也可用作数据存储。Storage accounts can be used by the Azure Machine Learning workspace (storing logs, models, snapshots, etc.) and as a datastore. 更新工作区的过程是单个 Azure CLI 命令,可在更新存储密钥后运行。The process to update the workspace is a single Azure CLI command, and can be ran after updating the storage key. 更新数据存储的过程更复杂,需要查明当前有哪些数据存储正在使用该存储帐户,然后重新注册它们。The process of updating datastores is more involved, and requires discovering what datastores are currently using the storage account and then re-registering them.

重要

使用 Azure CLI 更新工作区,使用 Python 更新数据存储,两项工作同时进行。Update the workspace using the Azure CLI, and the datastores using Python, at the same time. 仅更新其中一项是不够的,并且可能会导致错误,直至两项全部更新。Updating only one or the other is not sufficient, and may cause errors until both are updated.

若要查明数据存储使用的存储帐户,请使用以下代码:To discover the storage accounts that are used by your datastores, use the following code:

import azureml.core
from azureml.core import Workspace, Datastore

ws = Workspace.from_config()

default_ds = ws.get_default_datastore()
print("Default datstore: " + default_ds.name + ", storage account name: " +
      default_ds.account_name + ", container name: " + default_ds.container_name)

datastores = ws.datastores
for name, ds in datastores.items():
    if ds.datastore_type == "AzureBlob":
        print("Blob store - datastore name: " + name + ", storage account name: " +
              ds.account_name + ", container name: " + ds.container_name)
    if ds.datastore_type == "AzureFile":
        print("File share - datastore name: " + name + ", storage account name: " +
              ds.account_name + ", container name: " + ds.container_name)

此代码查找使用 Azure 存储的任何已注册数据存储,并列出以下信息:This code looks for any registered datastores that use Azure Storage and lists the following information:

  • 数据存储名称:在其下注册存储帐户的数据存储的名称。Datastore name: The name of the datastore that the storage account is registered under.
  • 存储帐户名称:Azure 存储帐户的名称。Storage account name: The name of the Azure Storage account.
  • 容器:此注册使用的存储帐户中的容器。Container: The container in the storage account that is used by this registration.

它还指明了数据存储是用于 Azure Blob 还是 Azure 文件共享,因为需要采用不同的方法来重新注册每种类型的数据存储。It also indicates whether the datastore is for an Azure Blob or an Azure File share, as there are different methods to re-register each type of datastore.

如果你计划为其重新生成访问密钥的存储帐户存在条目,请保存数据存储名称、存储帐户名称和容器名称。If an entry exists for the storage account that you plan on regenerating access keys for, save the datastore name, storage account name, and container name.

更新访问密钥Update the access key

若要更新 Azure 机器学习以使用新密钥,请执行以下步骤:To update Azure Machine Learning to use the new key, use the following steps:

重要

执行所有步骤,使用 CLI 更新工作区,使用 Python 更新数据存储。Perform all steps, updating both the workspace using the CLI, and datastores using Python. 仅更新其中一项可能会导致错误,直至两项全部更新。Updating only one or the other may cause errors until both are updated.

  1. 重新生成密钥。Regenerate the key. 有关重新生成访问密钥的信息,请参阅管理存储帐户访问密钥For information on regenerating an access key, see Manage storage account access keys. 保存新密钥。Save the new key.

  2. Azure 机器学习工作区会自动同步新密钥并在一小时后开始使用该密钥。The Azure Machine Learning workspace will automatically synchronize the new key and begin using it after an hour. 若要强制工作区立即同步到新密钥,请执行以下步骤:To force the workspace to synch to the new key immediately, use the following steps:

    1. 使用以下 Azure CLI 命令登录到包含你的工作区的 Azure 订阅:To sign in to the Azure subscription that contains your workspace by using the following Azure CLI command:

      az login
      

      提示

      登录后,你将看到与你的 Azure 帐户关联的订阅列表。After logging in, you see a list of subscriptions associated with your Azure account. isDefault: true 的订阅信息是当前已激活的 Azure CLI 命令订阅。The subscription information with isDefault: true is the currently activated subscription for Azure CLI commands. 此订阅必须与包含 Azure 机器学习工作区的订阅相同。This subscription must be the same one that contains your Azure Machine Learning workspace. 通过访问工作区的概述页,可以从 Azure 门户中找到订阅 ID。You can find the subscription ID from the Azure portal by visiting the overview page for your workspace. 还可以使用 SDK 从工作区对象获取订阅 ID。You can also use the SDK to get the subscription ID from the workspace object. 例如,Workspace.from_config().subscription_idFor example, Workspace.from_config().subscription_id.

      若要选择另一个订阅,请使用 az account set -s <subscription name or ID> 命令,并指定要切换到的订阅名称或 ID。To select another subscription, use the az account set -s <subscription name or ID> command and specify the subscription name or ID to switch to. 有关订阅选择的详细信息,请参阅使用多个 Azure 订阅For more information about subscription selection, see Use multiple Azure Subscriptions.

    2. 使用以下命令更新工作区以使用新密钥。To update the workspace to use the new key, use the following command. myworkspace 替换为你的 Azure 机器学习工作区名称,并将 myresourcegroup 替换为包含该工作区的 Azure 资源组的名称。Replace myworkspace with your Azure Machine Learning workspace name, and replace myresourcegroup with the name of the Azure resource group that contains the workspace.

      az ml workspace sync-keys -w myworkspace -g myresourcegroup
      

      提示

      如果收到一条错误消息,指出未安装 ml 扩展,请使用以下命令进行安装:If you get an error message stating that the ml extension isn't installed, use the following command to install it:

      az extension add -n azure-cli-ml
      

      此命令自动为工作区使用的 Azure 存储帐户同步新密钥。This command automatically syncs the new keys for the Azure storage account used by the workspace.

  3. 可以通过 SDK 或 Azure 机器学习工作室重新注册使用存储帐户的数据存储。You can re-register datastore(s) that use the storage account via the SDK or the Azure Machine Learning studio.

    1. 若要通过 Python SDK 重新注册数据存储,请在以下代码中使用需要更新的内容部分中的值以及步骤 1 中的密钥。To re-register datastores via the Python SDK, use the values from the What needs to be updated section and the key from step 1 with the following code.

      因为指定了 overwrite=True,所以此代码将覆盖现有注册,并对其进行更新以使用新密钥。Since overwrite=True is specified, this code overwrites the existing registration and updates it to use the new key.

      # Re-register the blob container
      ds_blob = Datastore.register_azure_blob_container(workspace=ws,
                                                datastore_name='your datastore name',
                                                container_name='your container name',
                                                account_name='your storage account name',
                                                account_key='new storage account key',
                                                overwrite=True)
      # Re-register file shares
      ds_file = Datastore.register_azure_file_share(workspace=ws,
                                            datastore_name='your datastore name',
                                            file_share_name='your container name',
                                            account_name='your storage account name',
                                            account_key='new storage account key',
                                            overwrite=True)
      
      
    2. 若要通过工作室重新注册数据存储,请从工作室的左窗格中选择“数据存储”。To re-register datastores via the studio, select Datastores from the left pane of the studio.

      1. 选择要更新的数据存储。Select which datastore you want to update.

      2. 选择左上角的“更新凭据”按钮。Select the Update credentials button on the top left.

      3. 使用步骤 1 中的新访问密钥填充窗体,然后单击“保存”。Use your new access key from step 1 to populate the form and click Save.

        若要更新默认数据存储的凭据,请完成此步骤,并重复步骤 2b,以将新密钥与工作区的默认数据存储重新同步。If you are updating credentials for your default datastore, complete this step and repeat step 2b to resync your new key with the default datastore of the workspace.

后续步骤Next steps

有关注册数据存储的详细信息,请参阅 Datastore 类参考。For more information on registering datastores, see the Datastore class reference.