Release Notes - Azure Integration
Updated at September 5th, 2023
Alright then, keep your data
Securely and seamlessly host your labelling assets while providing the Sama platform with the limited access it needs.
With this release, data can now be stored on Azure's Cloud storage and be accessed for annotation, without needing to be duplicated in Sama's storage network. This can greatly accelerate annotation onboarding, and leads to getting results faster.
📘 Note
As of September 1st, 2023, images, videos and 3D are all supported!
How it works
Assets and other internal data can be kept firmly within client control in a cloud bucket, and use native Identity and Access Management (IAM) roles and policies to provide Sama access to this data. This simplifies the data distribution and asset handoff process, and needs minimal setup on either the Azure or Project end.
How Sama Authenticates with Your Azure Instance
- Sama obtains a token from AWS Cognito Identity set up in your Azure instance.
- Using the token from AWS Cognito Identity, Sama authenticates with Azure AD. This process results in obtaining a workload identity. In our context, this workload identity corresponds to an App registration that has Federated credentials configured.
- Finally, Sama communicates with Azure Blob Storage using the acquired workload identity. This allows Sama to manage resources within the Storage Account and Storage Container that have been pre-configured.
Workload identities provide a method for securely accessing Azure resources, eliminating the need for the storage and management of secrets, such as usernames, passwords, or client secrets.
Read more about workload identities
Workload identities in Azure come in two main types: Azure AD Applications and Managed Identities.
- Azure AD Applications: These are applications or services that have been registered within Azure AD. Each possesses its own unique identity and can authenticate and access Azure resources by using this identity. Specific characteristics of Azure AD Applications include:
- They are capable of obtaining access tokens from Azure AD. These tokens can then be used to access Azure resources, APIs, or other services, according to the permissions that have been assigned to the identity.
- They can establish trusted relationships with other identity providers (for example, AWS Cognito Identity). This trust is established by acknowledging tokens issued by these external identity providers, thereby enabling cross-access to resources among different cloud providers. This is typically achieved using App registrations.
- They leverage protocols such as OAuth 2.0 or OpenID Connect to acquire access tokens.
- They can be designated specific roles and permissions, allowing for a nuanced control of access to Azure resources. Access rights are determined based on the roles assigned to the identity.
- Managed identities: This feature is tightly associated with the Azure resources they belong to. Managed identities are used for authenticating and directly accessing these associated resources.
📘 Note
Sama's integration with Azure doesn't make use of managed identities.
Steps to setup Azure with Sama
-
Set Up Azure Storage:
- Create or use an existing Azure Storage Account.
- Create or use an existing Azure Storage Container.
-
Register an Azure Application:
- Go to App registrations and register an application for Sama.
- Save the Application (client) ID and the Directory (tenant) ID for future use.
-
Configure Federated Credentials:
- Within the Sama's application page, select "Certificates & Secrets" from the menu and create new Federated credentials.
- Under the "Federated credential scenario" field, select "Other issuer".
- Input the following details:
- Issuer (provided by Sama): https://cognito-identity.amazonaws.com
- Subject identifier: eu-west-1:72a28b0b-b4cc-443f-9032-a397c1ef692a
- Audience: eu-west-1:e4639e61-9b32-4a7f-aeb9-9987f28d102d
-
Grant Access to Azure Storage:
- Go to your Azure Storage Container and/or Account, select "Access Control (IAM)" from the menu.
- Add a Role assignment for the registered Sama application with the following roles:
- Storage Blob Data Contributor (for the Azure Storage Container)*
- Storage Blob Delegator (for the Azure Storage Account)
-
Configure Resource sharing (CORS):
- Select Resource sharing (CORS) from the menu.
- In Blob Storage, set:
- “Allowed origins” to app.sama.com
- “Allowed methods” to GET
- “Max Age” to 3000
-
Configure Sama Account:
- Navigate to your organization details page in https://accounts.sama.com.
- Fill in the "Integration Azure" section with your Azure Application client ID and tenant ID and save the values.
- Fill in the Azure Storage Account and Storage Container fields in which you want processed assets to be written to.*
-
Test Your Configuration:
- Validate your setup by using a URL to access an asset in your Azure Storage Container.
* Assets are processed(transformed) on the Sama Platform for compatibility. The provided steps store these processed assets in your Azure Storage for the Sama workforce. If you prefer using Sama's storage:
- In step 4, select Storage Blob Data Reader instead of Storage Blob Data Contributor.
- In step 6, skip entering the Azure Storage Account and Storage Container fields.