Use Managed Identity for Cogitive Services accounts#
Security · Cognitive Services · 2022_09
Configure managed identities to access Azure resources.
Description#
Cognitive Services must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Cognitive Services can use managed identities.
Using Azure managed identities have the following benefits:
- You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
- You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
- Managed identities can be used without any additional cost.
Recommendation#
Consider configuring a managed identity for each Cogitive Services account.
Examples#
Configure with Azure template#
To deploy accounts that pass this rule:
- Set the
identity.type
toSystemAssigned
orUserAssigned
. - If
identity.type
isUserAssigned
, reference the identity withidentity.userAssignedIdentities
.
For example:
Azure Template snippet
{
"type": "Microsoft.CognitiveServices/accounts",
"apiVersion": "2022-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"sku": {
"name": "S0"
},
"kind": "CognitiveServices",
"properties": {
"publicNetworkAccess": "Disabled",
"networkAcls": {
"defaultAction": "Deny"
},
"disableLocalAuth": true
}
}
Configure with Bicep#
To deploy accounts that pass this rule:
- Set the
identity.type
toSystemAssigned
orUserAssigned
. - If
identity.type
isUserAssigned
, reference the identity withidentity.userAssignedIdentities
.
For example:
Azure Bicep snippet
resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
sku: {
name: 'S0'
}
kind: 'CognitiveServices'
properties: {
publicNetworkAccess: 'Disabled'
networkAcls: {
defaultAction: 'Deny'
}
disableLocalAuth: true
}
}
Links#
- Use identity-based authentication
- Azure Policy built-in policy definitions for Azure Cognitive Services
- Azure deployment reference
Last update:
2022-12-03