How to fix Authorization Failure issue when Deploying online ML deployment in existing Endpoint from Azure container registry using .yml script .

Pandiri, Mahendar 0

I have an azure Container Registry repository where i have uploaded my ML Model as Docker image to deploy in Azure ML Workspace.

Using .yml script, i am creating Online ML Deployment in existing endpoint, which is causing Authorization Failure in between while script execution is in progress.

I already have Machine Leaning workspace, and ml Endpoint.

My endpoint public access is disabled.

Below is the sample .yml script for reference,

Error Details:

'https://management.azure.com/subscriptions/

Sina Salam 17,571 Reputation points

2025-02-12T19:13:30.6866667+00:00

Hello Pandiri, Mahendar,

Thank you for posting your question.

The sample .yml script for reference and error "Details" is not complete. Would you provide the information for better response.

Cheers
Pandiri, Mahendar 0 Reputation points

2025-02-12T19:17:09.3433333+00:00
Hi Sina,

Thanks for the response,

below the .yml script,

$schema: https://azuremlschemas.azureedge.net/latest/managedOnlineDeployment.schema.json

name: mldeploy-est-dev

endpoint_name: mlendpoint-est-dev

environment:

name: mlmodelenv

version: 28

image: myazurecontainerregistry.azurecr.io/my-ml-model:28

environment_variables:

MODEL_NAME: my-ml-model-beta

AZUREML_MODEL_DIR: "/app"

code_configuration:

code: C:\Projects\Python\machine-learning\azurenbomodelautomation\tempsourcecode\

scoring_script: score.py

instance_type: Standard_F2s_v2

instance_count: 1

egress_public_network_access: disabled

request_settings:

max_concurrent_requests_per_instance: 5

request_timeout_ms: 60000

Error Details:

azure.core.pipeline.policies._universal: Request URL: 'https://management.azure.com/subscriptions/<mysubsid>/resourceGroups/model-est-dev/providers/Microsoft.MachineLearningServices/workspaces/mlworkspace-est-dev/codes/ee377dbb/versions/1/startPendingUpload?api-version=2023-04-01'

Request method: 'POST'

Request headers:

'Content-Type': 'application/json' 'Content-Length': '47' 'Accept': 'application/json' 'x-ms-client-request-id': 'c-e5a0-11ef-acce-dc77b1' 'User-Agent': 'azureml-cli-v2/2.34.0 azure-ai-ml/1.24.0 azsdk-python-mgmt-machinelearningservices/0.1.0 Python/3.11.9 (Windows-10-10.0.22631-SP0)' 'Authorization': 'Bearer <mytoken>'

Request body:

{"pendingUploadType": "TemporaryBlobReference"}

urllib3.connectionpool: https://management.azure.com:443 "POST /subscriptions/<my subsid>/resourceGroups/mymodel-est-Dev/providers/Microsoft.MachineLearningServices/workspaces/mlworkspace-est-dev/codes/ee377dbb/versions/1/startPendingUpload?api-version=2023-04-01 HTTP/1.1" 200 944

azure.core.pipeline.policies._universal: Response status: '200'

Response headers:

'Cache-Control': 'no-cache' 'Pragma': 'no-cache' 'Content-Length': '944' 'Content-Type': 'application/json; charset=utf-8' 'Expires': '-1' 'Vary': 'Accept-Encoding' 'x-ms-ratelimit-remaining-subscription-global-writes': '2999' 'x-ms-ratelimit-remaining-subscription-writes': '199' 'Request-Context': 'appId=cid-v1:2d2e8e63-272e-4b3c-8598-4ee570a0e70d' 'x-ms-response-type': 'standard' 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' 'X-Content-Type-Options': 'nosniff' 'x-aml-cluster': 'vienna-eastus-01' 'x-request-time': '0.495' 'x-ms-request-id': '6b9821730099' 'x-ms-correlation-request-id': '6b9821730099' 'x-ms-routing-request-id': 'EASTUS2:20250207T221233Z:662b18f6-3985-42b1-a038-7b9821730099' 'X-Cache': 'CONFIG_NOCACHE' 'X-MSEdge-Ref': 'Ref A: 64E615A6B44343D4AD4392BF04B15DCA Ref B: MNZ221060609031 Ref C: 2025-02-07T22:12:33Z' 'Date': 'Fri, 07 Feb 2025 22:12:33 GMT'

Response content:

{

"blobReferenceForConsumption": {

"blobUri": "https://trestdev.blob.core.windows.net:443/17359kkdvrjgxinkfart7p1gu", "storageAccountArmId": "/subscriptions/mysubsid/resourceGroups/mymodel-Est-Dev/providers/Microsoft.Storage/storageAccounts/modelestdev", "credential": { "credentialType": "SAS", "sasUri": "https://trestdev.blob.core.windows.net/173596fb-7572ed3-gj5be3kkdu?skoid=48935b3b-33f1-41a3-b481-1930b46sktid=c921337c-1160-432a-b079-805f59112843&skt=2025-02-07T22%3A01%3A58Z&ske=2025-02-08T14%3A11%3A58Z&sks=b&skv=2019-07-07&sv=2021-10-04&st=2025-02-07T22%3A02%3A33Z&se=2025-02-08T06%3A12%3A33Z&sr=c&sp=rcwl&sig=1dahjkrh34825OF4I5s8NgwXLuR4E%3D" }

},

"pendingUploadId": "0690284ac894f",

"pendingUploadType": "None"

}

urllib3.connectionpool: Starting new HTTPS connection (1): transcriptionestdev.blob.core.windows.net:443

urllib3.connectionpool: https://transcriptionestdev.blob.core.windows.net:443 "HEAD /173596fb-7572-48e9-9fc5-7fbbef6d2ed3-gj5be3kkdvrjgxinkfart7p1gu/tempsourcecode/score.py?skoid=48935b3b-33f1-41a3-b481-1930b46c893e&sktid=c921337c-1160-432a-b079-805f59112843&skt=2025-02-07T22%3A01%3A58Z&ske=2025-02-08T14%3A11%3A58Z&sks=b&skv=2019-07-07&sv=2021-10-04&st=2025-02-07T22%3A02%3A33Z&se=2025-02-08T06%3A12%3A33Z&sr=c&sp=rcwl&sig=18Cahrs2RCbYh8%2FZAyOamz6Wnf0OF4I5s8NgwXLuR4E%3D HTTP/1.1" 403 0

Traceback (most recent call last):

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml\operations_online_deployment_operations.py", line 218, in begin_create_or_update

raise ex

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml\operations_online_deployment_operations.py", line 186, in begin_create_or_update

upload_dependencies(deployment, orchestrators)

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml_utils_endpoint_utils.py", line 158, in upload_dependencies

deployment.code_configuration.code = orchestrators.get_asset_arm_id( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml\operations_operation_orchestrator.py", line 238, in get_asset_arm_id

result = self._get_code_asset_arm_id(asset, register_asset=register_asset) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml\operations_operation_orchestrator.py", line 304, in _get_code_asset_arm_id

raise e

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml\operations_operation_orchestrator.py", line 279, in _get_code_asset_arm_id

code_asset = self._code_assets.create_or_update(code_asset) # type: ignore[attr-defined] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml_telemetry\activity.py", line 288, in wrapper

return f(*args, **kwargs) ^^^^^^^^^^^^^^^^^^ storage_client.check_blob_exists()

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml_artifacts_blob_storage_helper.py", line 226, in check_blob_exists

raise e

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml_artifacts_blob_storage_helper.py", line 184, in check_blob_exists

raise e

File "C:\Users\P3256021.azure\cliextensions\ml\azext_mlv2\manual\vendored_curated_sdk\azure\ai\ml_artifacts_blob_storage_helper.py", line 175, in check_blob_exists

properties = blob_client.get_blob_properties() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

File "C:\Users\P3256021\AppData\Roaming\Python\Python311\site-packages\azure\core\tracing\decorator.py", line 105, in wrapper_use_tracer

return func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^

File "C:\Users\P3256021\AppData\Roaming\Python\Python311\site-packages\azure\storage\blob_blob_client.py", line 1080, in get_blob_properties

process_storage_error(error)

File "C:\Users\P3256021\AppData\Roaming\Python\Python311\site-packages\azure\storage\blob_shared\response_handlers.py", line 186, in process_storage_error

exec("raise error from None") # pylint: disable=exec-used # nosec ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

File "<string>", line 1, in <module>

azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'This request is not authorized to perform this operation.'

ErrorCode:AuthorizationFailure
Pavankumar Purilla 3,325 Reputation points Microsoft Vendor

2025-02-12T20:13:33.0933333+00:00

Hi Pandiri, Mahendar,
Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!
It looks like you're facing an Authorization Failure when deploying an online ML deployment from Azure Container Registry (ACR) to an existing Azure Machine Learning (AML) endpoint using a .yml script.

Make sure to specify the container registry image under the environment/image section in your YAML file.

Additionally, ensure that:

Azure ML Managed Identity has Container Registry pull/read access (AcrPull role assigned).

Admin access is enabled on the Azure Container Registry (ACR).

For more details and a sample YAML file, refer to: Deploy an Online Endpoint in Azure ML.

I hope this information helps.
Pandiri, Mahendar 0 Reputation points

2025-02-12T20:28:00.3033333+00:00

@Sina Salam ,The comment mentioned got deleted. Can you report the comment.

Thank you.
Pandiri, Mahendar 0 Reputation points

2025-02-12T20:32:03.82+00:00

YML script:

$schema: https://azuremlschemas.azureedge.net/latest/managedOnlineDeployment.schema.json

name: mldeploy-est-dev

endpoint_name: <mlendpoint-est-dev>

environment:

name: mlmodelenv

version: 28

image: <myazurecontainerregistry.azurecr.io>/my-ml-model:28

environment_variables:

MODEL_NAME: my-ml-model-beta

AZUREML_MODEL_DIR: "/app"

code_configuration:

code: C:\Projects\Python\machine-learning\azurenbomodelautomation\tempsourcecode\

scoring_script: score.py

instance_type: Standard_F2s_v2

instance_count: 1

egress_public_network_access: disabled

request_settings:

max_concurrent_requests_per_instance: 5

request_timeout_ms: 60000

Error:

urllib3.connectionpool: Starting new HTTPS connection (1): <mystorage>.blob.core.windows.net:443

urllib3.connectionpool: https://<mystorage>.blob.core.windows.net:443 "HEAD /<reqid>/tempsourcecode/score.py?skoid=<> HTTP/1.1" 403 0

azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'This request is not authorized to perform this operation.'

ErrorCode:AuthorizationFailure
SriLakshmi C 2,730 Reputation points Microsoft Vendor

2025-02-13T02:24:55.9066667+00:00

Hi Pandiri, Mahendar,

The authorization failure seems to be occurring when attempting to access the storage account to retrieve the score.py script. To resolve this issue, ensure that the identity used for deployment has the necessary permissions to access the storage account. The identity should have at least the Storage Blob Data Reader role assigned.

If you are using a service principal, verify that it has the correct roles assigned.

If you are using a user-assigned identity, ensure that it has the Storage blob data reader permission on the workspace storage account and AcrPull permission on the workspace container registry. If you are using a system-assigned identity, Azure automatically grants the necessary permissions.

As you already mentioned in the query that disable public access, The issue may be caused by the egress_public_network_access setting in your YAML script, which is currently set to disabled. This configuration blocks all external access, including access to Azure Container Registry (ACR) and the storage account if they are not within the same virtual network. To resolve this, consider enabling public network access to ensure that the deployment can successfully retrieve necessary resources. Adjusting this setting will allow external communication while still maintaining security controls based on your network requirements. Please look into this below snippet,

If your Azure Container Registry (ACR) or Storage Account is not within the same Virtual Network (VNet) as your compute resource such as an Azure ML endpoint or VM the system may be unable to pull images or access data.

If your Azure OpenAI Service is configured to be accessed via a public endpoint, requests to it might be blocked due to network restrictions. To ensure seamless access, verify your network configuration and consider enabling appropriate access controls or integrating all necessary resources within the same VNet.

Kindly refer this Troubleshoot online endpoint deployment and scoring.

I Hope this helps. Do let me know if you have any further queries.
Thank you!
SriLakshmi C 2,730 Reputation points Microsoft Vendor

2025-02-14T10:16:27.6066667+00:00

Hi Pandiri, Mahendar,

Did you get any chance to review the above response. Thank you!

1 answer

Sina Salam 17,571 Reputation points

2025-02-13T10:46:33.18+00:00
Hello Pandiri, Mahendar,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you would like to fix Authorization Failure issue when Deploying online ML deployment in existing Endpoint from Azure container registry using .yml script.

A 403 AuthorizationFailure in Azure ML deployments typically stems from insufficient permissions or network restrictions blocking access to Azure Storage or Container Registry (ACR). Below is a structured steps to resolve these issues:

Authentication & Role Assignment Issues: Problem is that the Azure ML workspace’s managed identity lacks permissions to access the storage account hosting score.py. Specifically, the Storage Blob Data Contributor role is required to read/write blobs. If public network access is disabled, network rules might also block access. To fix this, follow the below steps:

In the Azure Portal, navigate to the storage account (e.g., modelestdev).

Under Access Control (IAM), grant the workspace’s managed identity (system- or user-assigned) the Storage Blob Data Contributor role.

For ACR, assign the AcrPull role to the same identity. CLI Command for Role Assignment:
az role assignment create --assignee <identity-id> --role "Storage Blob Data Contributor" --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<storage>
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli)

If using a SAS token, regenerate it with rcwl (read, create, write, list) permissions:

az storage blob generate-sas --account-name <storage> --container-name <container> --name score.py --permissions rcwl --expiry 2025-02-09T23:59:59Z --https-only

Network Configuration: The problem lies in disabling public network access (egress_public_network_access: disabled) which blocks external access to storage/ACR unless private endpoints or trusted services are configured it might not work, but based on your requirement of nonpublic network. Follow this step to fix it:

Option 1: Use Private Endpoints

Create private endpoints for the storage account and ACR.

Link these endpoints to the same VNet as the Azure ML workspace. For more detail steps: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

Option 2: Allow Trusted Services

In the storage account/ACR firewall, enable: Allow Azure services on the trusted services list to access this resource

Code Configuration in YAML: The problem is that using a local path (e.g., C:\Projects\...) in code_configuration.code forces Azure ML to upload code to workspace storage. If permissions are misconfigured, this upload will continue to fail. You can also fix it by follow the steps below:

Reference code from cloud storage instead:
code_configuration: code: azureml:my_code_asset:1 # Pre-uploaded code asset scoring_script: score.py
For local development, ensure the workspace identity has write access to the storage account.

Environment Variables & Validation: You will need to explicitly set storage credentials in the YAML:
environment_variables: AZURE_STORAGE_ACCOUNT: "<storage>" AZURE_STORAGE_ACCESS_KEY: "<key>"

Last but not the least, for verification purposes, redeploy and authenticate your solution after the above is done:
az ml online-deployment create --file deployment.yml az login --identity # For managed identity

By addressing permissions, network rules, and code references, the 403 error should resolve. For further details, refer to:

https://learn.microsoft.com/en-us/azure/machine-learning/how-to-identity-based-service-authentication

https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-errors

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
Please sign in to rate this answer.
Pavankumar Purilla 3,325 Reputation points Microsoft Vendor

2025-02-14T23:44:11.4433333+00:00

Hi Pandiri, Mahendar,
Did you get any chance to review the above response. Thank you!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to fix Authorization Failure issue when Deploying online ML deployment in existing Endpoint from Azure container registry using .yml script .

1 answer

Your answer