Skip to content

Use Managed Identity for Cogitive Services accounts#

Security · Cognitive Services · 2022_09

Configure managed identities to access Azure resources.

Description#

Cognitive Services must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Cognitive Services can use managed identities.

Using Azure managed identities have the following benefits:

  • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
  • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
  • Managed identities can be used without any additional cost.

Recommendation#

Consider configuring a managed identity for each Cogitive Services account.

Examples#

Configure with Azure template#

To deploy accounts that pass this rule:

  • Set the identity.type to SystemAssigned or UserAssigned.
  • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet
{
    "type": "Microsoft.CognitiveServices/accounts",
    "apiVersion": "2022-03-01",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "identity": {
        "type": "SystemAssigned"
    },
    "sku": {
        "name": "S0"
    },
    "kind": "CognitiveServices",
    "properties": {
        "publicNetworkAccess": "Disabled",
        "networkAcls": {
            "defaultAction": "Deny"
        },
        "disableLocalAuth": true
    }
}

Configure with Bicep#

To deploy accounts that pass this rule:

  • Set the identity.type to SystemAssigned or UserAssigned.
  • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet
resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'S0'
  }
  kind: 'CognitiveServices'
  properties: {
    publicNetworkAccess: 'Disabled'
    networkAcls: {
      defaultAction: 'Deny'
    }
    disableLocalAuth: true
  }
}

Last update: 2022-12-03

Comments