对 Azure Kubernetes 服务中的机器学习 Web 服务使用 Azure AD 标识Use Azure AD identity with your machine learning web service in Azure Kubernetes Service

本操作指南介绍如何将 Azure Active Directory (Azure AD) 标识分配到 Azure Kubernetes 服务中部署的机器学习模型。In this how-to, you learn how to assign an Azure Active Directory (Azure AD) identity to your deployed machine learning model in Azure Kubernetes Service. Azure AD Pod 标识项目允许应用程序使用托管标识和 Kubernetes 基元通过 Azure AD 安全访问云资源。The Azure AD Pod Identity project allows applications to access cloud resources securely with Azure AD by using a Managed Identity and Kubernetes primitives. 这样,Web 服务就可以安全访问你的 Azure 资源,而无需在 score.py 脚本中嵌入凭据或直接在其中管理令牌。This allows your web service to securely access your Azure resources without having to embed credentials or manage tokens directly inside your score.py script. 本文解释在 Azure Kubernetes 服务群集中创建和安装 Azure 标识,并将该标识分配到已部署的 Web 服务的步骤。This article explains the steps to create and install an Azure Identity in your Azure Kubernetes Service cluster and assign the identity to your deployed web service.

先决条件Prerequisites

创建并安装 Azure 标识Create and install an Azure Identity

  1. 若要确定是否为 AKS 群集启用了 Kubernetes RBAC,请使用以下命令:To determine if your AKS cluster is Kubernetes RBAC enabled, use the following command:

    az aks show --name <AKS cluster name> --resource-group <resource group name> --subscription <subscription id> --query enableRbac
    

    如果启用了 Kubernetes RBAC,此命令将返回 true 值。This command returns a value of true if Kubernetes RBAC is enabled. 此值确定了要在下一步骤中使用的命令。This value determines the command to use in the next step.

  2. 在 AKS 群集上安装 Azure AD Pod 标识Install Azure AD Pod Identity in your AKS cluster.

  3. 按照 Azure AD Pod 标识项目页中所述的步骤创建 Azure 标识Create an Identity on Azure following the steps shown in Azure AD Pod Identity project page.

  4. 按照 Azure AD Pod 标识项目页中所述的步骤部署 Azure 标识Deploy AzureIdentity following the steps shown in Azure AD Pod Identity project page.

  5. 按照 Azure AD Pod 标识项目页中所述的步骤部署 Azure 标识绑定Deploy AzureIdentityBinding following the steps shown in Azure AD Pod Identity project page.

  6. 如果在上一步骤中创建的 Azure 标识不在 AKS 群集所在的节点资源组中,请遵循 Azure AD Pod 标识项目页中所述的角色分配步骤。If the Azure Identity created in the previous step is not in the same node resource group for your AKS cluster, follow the Role Assignment steps shown in Azure AD Pod Identity project page.

将 Azure 标识分配到 Web 服务Assign Azure Identity to web service

以下步骤使用上一部分中创建的 Azure 标识,并通过 选择器标签 将其分配到 AKS Web 服务。The following steps use the Azure Identity created in the previous section, and assign it to your AKS web service through a selector label.

首先,在要将 Azure 标识分配到的 AKS 群集中,确定部署的名称和命名空间。First, identify the name and namespace of your deployment in your AKS cluster that you want to assign the Azure Identity. 可运行以下命令获取此信息。You can get this information by running the following command. 命名空间应是 Azure 机器学习工作区名称,部署名称应是门户中所示的终结点名称。The namespaces should be your Azure Machine Learning workspace name and your deployment name should be your endpoint name as shown in the portal.

kubectl get deployment --selector=isazuremlapp=true --all-namespaces --show-labels

通过编辑部署规范将 Azure 标识选择器标签添加到部署。选择器值应是在部署 Azure 标识绑定的步骤 5 中定义的值。Add the Azure Identity selector label to your deployment by editing the deployment spec. The selector value should be the one that you defined in step 5 of Deploy AzureIdentityBinding.

apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
  name: demo1-azure-identity-binding
spec:
  AzureIdentity: <a-idname>
  Selector: <label value to match>

编辑部署以添加 Azure 标识选择器标签。Edit the deployment to add the Azure Identity selector label. 转到 /spec/template/metadata/labels 下面的以下节。Go to the following section under /spec/template/metadata/labels. 应会看到类似于 isazuremlapp: “true” 的值。You should see values such as isazuremlapp: “true”. 按如下所示添加 aad-pod-identity 标签。Add the aad-pod-identity label like shown below.

    kubectl edit deployment/<name of deployment> -n azureml-<name of workspace>
spec:
  template:
    metadata:
      labels:
       aadpodidbinding: "<value of Selector in AzureIdentityBinding>"
      ...

若要验证是否正确添加了该标签,请运行以下命令。To verify that the label was correctly added, run the following command. 还应看到新创建的 Pod 的状态。You should also see the statuses of the newly created pods.

   kubectl get pod -n azureml-<name of workspace> --show-labels

启动并运行 Pod 后,此部署的 Web 服务现在可以通过 Azure 标识访问 Azure 资源,而无需在代码中嵌入凭据。Once the pods are up and running, the web services for this deployment will now be able to access Azure resources through your Azure Identity without having to embed the credentials in your code.

将角色分配到 Azure 标识Assign roles to your Azure Identity

为 Azure 托管标识分配适当的角色,以访问其他 Azure 资源。Assign your Azure Managed Identity with appropriate roles to access other Azure resources. 确保分配的角色具有正确的 数据操作Ensure that the roles you are assigning have the correct Data Actions. 例如,存储 Blob 数据读取者角色对存储 Blob 拥有读取权限,而普通的读取者角色可能没有这些权限。For example, the Storage Blob Data Reader Role will have read permissions to your Storage Blob while the generic Reader Role might not.

对 Web 服务使用 Azure 标识Use Azure Identity with your web service

将模型部署到 AKS 群集。Deploy a model to your AKS cluster. score.py 脚本可以包含指向 Azure 标识有权访问的 Azure 资源的操作。The score.py script can contain operations pointing to the Azure resources that your Azure Identity has access to. 确保为你要尝试访问的资源安装了所需的客户端库依赖项。Ensure that you have installed your required client library dependencies for the resource that you are trying to access to. 下面几个示例演示如何使用 Azure 标识从服务访问不同的 Azure 资源。Below are a couple examples of how you can use your Azure Identity to access different Azure resources from your service.

从 Web 服务访问 Key VaultAccess Key Vault from your web service

如果为 Azure 标识授予了对 Key Vault 中某个机密的读取访问权限,则 score.py 可以使用以下代码访问该机密。If you have given your Azure Identity read access to a secret inside a Key Vault, your score.py can access it using the following code.

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

my_vault_name = "yourkeyvaultname"
my_vault_url = "https://{}.vault.azure.cn/".format(my_vault_name) 
my_secret_name = "sample-secret"

# This will use your Azure Managed Identity
credential = DefaultAzureCredential()
secret_client = SecretClient(
    vault_url=my_vault_url,
    credential=credential)
secret = secret_client.get_secret(my_secret_name)

重要

本例使用 DefaultAzureCredential。This example uses the DefaultAzureCredential. 若要使用特定访问策略向标识授予访问权限,请参阅使用 Azure CLI 分配密钥保管库访问策略To grant your identity access using a specific access policy, see Assign a Key Vault access policy using the Azure CLI.

从 Web 服务访问 BlobAccess Blob from your web service

如果为 Azure 标识授予了对 存储 Blob 中的数据的读取访问权限,则 score.py 可以使用以下代码访问此数据。If you have given your Azure Identity read access to data inside a Storage Blob, your score.py can access it using the following code.

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

my_storage_account_name = "yourstorageaccountname"
my_storage_account_url = "https://{}.blob.core.windows.net/".format(my_storage_account_name)

# This will use your Azure Managed Identity
credential = DefaultAzureCredential()
blob_service_client = BlobServiceClient(
    account_url=my_storage_account_url,
    credential=credential
)
blob_client = blob_service_client.get_blob_client(container="some-container", blob="some_text.txt")
blob_data = blob_client.download_blob()
blob_data.readall()

后续步骤Next steps

  • 有关如何使用 Python Azure 标识客户端库的详细信息,请参阅 GitHub 上的存储库For more information on how to use the Python Azure Identity client library, see the repository on GitHub.
  • 有关将模型部署到 Azure Kubernetes 服务群集的详细指导,请参阅操作指南For a detailed guide on deploying models to Azure Kubernetes Service clusters, see the how-to.