Azure通过秘密而不依赖Azure KeyVaults
我正在构建一条Azure ML管道进行批量评分。在一个步骤中,我需要访问存储在工作区的Azure KeyVault中的密钥。
但是,我想严格将创作环境(负责创建数据集,构建环境,构建和运行管道)和生产环境(负责转换数据,运行预测等)。 因此,生产环境中的代码应有些azure不可知论。如果需要,我希望能够将我的推理脚本提交给Google Cloud Compute实例。
因此,我的问题是: 将秘密传递给远程运行的最佳实践是什么,而无需让远程脚本从密钥vault本身检索它? 有没有办法有编辑的环境变量或命令行参数?
谢谢!
我想发生的示例:
# import all azure dependencies
secret = keyvault.get_secret("my_secret")
pipeline_step = PythonScriptStep(
script_name="step_script.py",
arguments=["--input_data", input_data, "--output_data", output_data],
compute_target=compute,
params=["secret": secret] # This will create an env var on the remote?
)
pipeline = Pipeline(workspace, steps=[pipeline_step])
PipelineEndpoint.publish(...)
step_script.py中的一个:
# No imports from azureml!
secret = os.getenv("AML_PARAMETER_secret")
do_something(secret)
I am building an Azure ML Pipeline for batch scoring. In one step I need to access a key stored in the workspace's Azure Keyvault.
However, I want to strictly separate the authoring environment (responsible for creating the datasets, building the environment, building and running the pipeline) and the production environment (responsible for transforming data, running the prediction etc.).
Therefore, code in the production environment should be somewhat Azure agnostic. I want to be able to submit my inference script to Google Cloud Compute Instances, if needed.
Thus my question is:
What is the best practise to pass secrets to remote runs without having the remote script retrieve it from the keyvault itself?
Is there a way to have redacted environment variables or command line arguments?
Thanks!
Example of what I would like to happen:
# import all azure dependencies
secret = keyvault.get_secret("my_secret")
pipeline_step = PythonScriptStep(
script_name="step_script.py",
arguments=["--input_data", input_data, "--output_data", output_data],
compute_target=compute,
params=["secret": secret] # This will create an env var on the remote?
)
pipeline = Pipeline(workspace, steps=[pipeline_step])
PipelineEndpoint.publish(...)
An within step_script.py:
# No imports from azureml!
secret = os.getenv("AML_PARAMETER_secret")
do_something(secret)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论