Secure Azure AI Services : Authentication (Part 2)

By Ashwin Venugopal -

 






Token-based Authentication

Certain AI systems support (or even require) token-based authentication when utilizing the REST interface. In these situations, the initial request for an authentication token, which has a 10-minute validity period, presents the subscription key. To confirm that the caller has been authenticated, the token must be presented in subsequent requests.

Note- When using an SDK, the calls to obtain and present a token are handled for you by the SDK.

Microsoft Entra ID Authentication

You may give access to particular service principals or managed identities for apps and services operating in Azure due to the support of Azure AI services for Microsoft Entra ID authentication.  A cloud-based identification and access management system is called Microsoft Entra ID.

There are different ways you can authenticate against Azure AI services using Microsoft Entra ID:

Authenticate Using Service Principals

The overall process to authenticate against Azure AI services using service principals is as follows:

  • Create a custom subdomain- You can create a custom subdomain in different ways including through the Azure portal, Azure CLI, or PowerShell. After that, you can create your Azure AI services resource specifying a custom subdomain. Once created, your subdomain name will be returned in the response.

  • Assign a role to a service principal- You've created an Azure AI resource that is linked with a custom subdomain. Next, you assign a role to a service principal. To start, you'll need to register an application. This creates the application resource. Then you use the New-AzADServicePrincipal command to create a service principal and provide your application's ID. Finally, you can assign the Cognitive Services Users role to your service principal.

Authenticate Using Managed Identities

Managed identities are two types:

  • System-assigned managed identity- A virtual machine that requires access to Azure AI services is an example of a resource to which a managed identity is generated and associated. The identity gets erased along with the resource.

  • User-assigned managed identity- Instead of being restricted to a single resource, the managed identity is designed to be utilized by several. It is not dependent on any one resource.

You can assign each type of managed identity to a resource either during creation of the resource, or after it has already been created.

Conclusion

We have successfully learnt about various types of authentication.

 

 







Comments

Post a Comment

Popular posts from this blog

Information Protection Scanner: Resolve Issues with Information Protection Scanner Deployment

By Ashwin Venugopal -
Image
  About If you are experiencing problems with the Microsoft Purview Information Protection scanner, check the health of your deployment by utilizing the Start-ScannerDiagnosticsPowerShell cmdlet to start the scanner diagnostic tool. The diagnostics tool checks the following details and then creates a log files with the results: Whether the database is up to date. Whether network URLs are accessible. Whether there's a valid authentication token and policy can be acquired. Whether the profile is defined in the Azure portal. Whether offline/online configuration exists and can be acquired. Whether the rules configured are valid.  The Start-ScannerDiagnostics command does not perform a comprehensive check of prerequisites. If you encounter problems with the scanner, you need to verify that your system meets the scanner's requirements, and that your scanner's configuration and installation are finished.  Verify Scanning Details Per Scanner Node and Repository Run the Get-ScanSt...
Read more

How AMI Store & Restore Works?

By Ashwin Venugopal -
Image
  CreateStoreImageTask The CreateStoreImageTask API stores an AMI as a single object in an S3 bucket. The API initiates a task that collects all the data from the AMI and its associated snapshots, subsequently using an S3 multipart upload to store this data in an S3 object. It gathers all elements of the AMI, including most of the non-Region-specific metadata and all EBS snapshots included in the AMI, and consolidates them into a single object in S3. During the upload process, the data is compressed to minimize the space utilized in S3, which means that the S3 object could be smaller than the total sizes of the snapshots in the AMI. If the account making this API call has access to AMI and snapshot tags, they will be retained. The S3 object shares the same ID as the AMI, except it has a .bin extension. Additionally, the S3 metadata tags for the object include the AMI name, AMI description, AMI registration date, AMI owner account, and a timestamp indicating when the store operation...
Read more

Create A Store Image Task

By Ashwin Venugopal -
Image
  Introduction When you save an AMI in an S3 bucket, a task for storing the image is initiated. This store image task allows you to track the progress and result of the procedure. Securing your AMIs It is crucial to verify that the S3 bucket is set up with adequate security to protect the content of the AMI and that this security is upheld for the entire duration that the AMI objects are stored in the bucket. If this cannot be achieved, it is advisable to refrain from using these APIs. Make sure that public access to the S3 bucket is prohibited. It is suggested to activate Server-side encryption for the S3 buckets where you keep the AMIs, even though it’s not mandatory. When AMI snapshots are transferred to the S3 object, they are sent over TLS connections. It is possible to save AMIs that contain encrypted snapshots; however, the snapshots will be decrypted during the storing process. Identify the source AMI used to create a new Amazon EC2 AMI You can determine the AMI that was us...
Read more