Azure Machine Learning workspace cannot access Datastore, Container Registry

Vengathesa Sarma, Satya 10 Reputation points
2024-09-19T16:35:55.04+00:00

Hi,

I have created an Azure Machine Learning workspace, giving it a user-assigned identity. This identity has both a contributor role over the whole resource group, and a Key Vault Secrets Officer role over the key vault used by the AML workspace

It was working fine and I was able to run ML pipelines, until recently, Now the AML workspace can no longer access its default datastore, neither the container registry. The error I get is the following (see screenshot): User's image

Credential Service error due to user error.This can occur if the system assigned managed identity of the workspace does not have access to the key vault. Please add workspace managed identity as Contributor for the key vault associated with the workspace. Please make sure that you are passing valid secret names and that the keyvault https://keyvaultURL

The issue is that, the user-assigned identity of the workspace has both roles I mentioned and should be able to access the vault - it also worked in the past, and I do not know what causes this, since the managed identity was not modified.

What could have caused this issue and what fix can I implement? Deleting the workspace is not an option for now, as I have some Machine Learning real-time endpoints which I use

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,343 questions
Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
468 questions
Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
3,048 questions
{count} votes

2 answers

Sort by: Most helpful
  1. romungi-MSFT 48,221 Reputation points Microsoft Employee
    2024-09-24T07:42:47.6333333+00:00

    @Vengathesa Sarma, Satya Could you try to assign another UAI with contributor access to the keyvault? Looking at the table mentioned in this link, I see the keyvault needs contributor + additional roles.

    User's image

    I am not sure what could have caused this if there is no change in UAI but you could check if there is any policy that is added that could restrict access to the workspace or any change in scope or resource group of the resources with a move operation.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


  2. romungi-MSFT 48,221 Reputation points Microsoft Employee
    2024-10-10T05:49:25.13+00:00

    Posting OP resolution as answer.

    Issue: Following issue seen in ML portal.

    User's image

    Resolution:

    User ended up having to delete the workspace and its vault and recreate them to fix the issue.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.