Use Managed Identity for Cognitive Services accounts

Security · Cognitive Services · Rule · 2022_09

Configure managed identities to access Azure resources.

Description

Cognitive Services must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Cognitive Services can use managed identities.

Using Azure managed identities have the following benefits:

• You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
• You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
• Managed identities can be used without any additional cost.

Recommendation

Consider configuring a managed identity for each Cognitive Services account.

Examples

Configure with Azure template

To deploy accounts that pass this rule:

• Set the identity.type to SystemAssigned or UserAssigned.
• If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet

{
  "type": "Microsoft.CognitiveServices/accounts",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "S0"
  },
  "kind": "CognitiveServices",
  "properties": {
    "publicNetworkAccess": "Disabled",
    "networkAcls": {
      "defaultAction": "Deny"
    },
    "disableLocalAuth": true
  }
}

Configure with Bicep

To deploy accounts that pass this rule:

• Set the identity.type to SystemAssigned or UserAssigned.
• If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet

resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'S0'
  }
  kind: 'CognitiveServices'
  properties: {
    publicNetworkAccess: 'Disabled'
    networkAcls: {
      defaultAction: 'Deny'
    }
    disableLocalAuth: true
  }
}

Configure with Azure Policy

To address this issue at runtime use the following policies:

/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418

Links

• Use identity-based authentication
• Azure Policy built-in policy definitions for Azure AI services
• IM-1: Use centralized identity and authentication system
• IM-3: Manage application identities securely and automatically
• Azure deployment reference

---

Last update: 2023-10-01

Comments