Authenticating for programmatic access in Watson Machine Learning

You must use authentication for using Watson Machine Learning securely with Python client. Learn about the different authentication methods that are supported in Watson Machine Learning on Cloud Pak for Data.

Authentication methods for Watson Machine Learning on Cloud Pak for Data

You can authenticate by creating a Watson Machine Learning python client in the following ways:

For an example of authenticating by using notebook, see Machine learning Python samples and examples.

Authentication by using a token

You can use a token to authenticate by using notebook within Watson Studio. By using a token, you can mask your credentials. Therefore, using a token provides you with a more secure connection to the server.

You can use two types of tokens for authentication:

  • Authentication by using ZenApiKey token
  • Authentication by using bearer token

Authentication by using ZenApiKey token

The recommended method for authentication is to use ZenApiKey, which provides the most secure and reliable way for authentication.

Important:

You must generate a token before you can use it for authentication with the server. For more information, see Generating an API authorization token.

The following example shows how to authenticate by using a token:

wml_credentials = {
  "token": "<token>",
  "instance_id": "openshift",
  "url": "<web client url>",
  "version": "4.8"
}

from ibm_watson_machine_learning import APIClient
client = APIClient(wml_credentials)
Note:

You must replace your web client URL. For more information, see Finding the web client url.

Authentication by using bearer token

You can also use bearer token for authentication. You must generate a bearer token before you can use it for authentication. For more information, see Generating a bearer token.

Authentication by using credentials

If you are not storing your notebook within Watson Studio, you can bypass retrieving a token and authenticate with your Cloud Pak for Data credentials. You can create a python client and authenticate by using credentials in the following ways:

  • Creating the client by using username and password credentials
  • Creating the client by using username and apikey credentials

Creating the client by using username and password credentials

You can create a python client and authenticate by using your username and password.

The following example shows how to create the python client by using username/password credentials:

from ibm_watson_machine_learning import APIClient
wml_credentials = {
  "instance_id": "openshift",
  "url": "<platform URL>",
  "username": "<username>",
  "password": "<password>",
  "version": "4.8"
}
wml_client = APIClient(wml_credentials)
Note:

You must replace <web_client_url> with your web client URL. For more information, see Finding the web client url.

Creating the client by using username and apikey credentials

You can create a python client and authenticate by using your username and API key. To retrieve your API key from the UI, go to your profile page and click API Key.

The following example shows how to create the python client by using username and apikey credentials:

from ibm_watson_machine_learning import APIClient
wml_credentials = {
  "url": "<URL>",
  "username": "<USERNAME>",
  "apikey": "<APIKEY>",
  "instance_id": "openshift",
  "version": "4.8"
}
client = APIClient(wml_credentials)
Note:

You must replace <web_client_url> with your web client URL. For more information, see Finding the web client url.

Finding URLs for authentication

Learn how to find the IBM Cloud Pak foundational service URL and the web client URL.

Finding the IBM Cloud Pak foundational services URL

The IBM Cloud Pak foundational service URL describes the Red Hat OpenShift route, which is created by IBM Common Services. By default, the IBM Cloud Pak foundational services namespace is ibm-common-services. You can find the IBM Cloud Pak foundational services URL by using the following command:

oc get routes -n ibm-common-services

The command returns the following output:

NAME                HOST/PORT                     PATH   SERVICES                   PORT    TERMINATION            WILDCARD
<cp-console>        <foundational services url>          <service name>             https   reencrypt/Redirect     None
<cp-proxy>          <proxy URL>                          <service name>             https   passthrough/Redirect   None

Finding the web client URL

To find the web client url, view the details for the service instance from the address field in the web client.

For example, if your web browser shows this path when you are logged in to Watson Studio:

https://some-route.apps.your.server.company.com/<xyz>

Then, the web client url parameter must be set to
https://some-route.apps.your.server.company.com

For more information, see Endpoint URLs.

Troubleshooting

If you receive this message when you are creating an instance of the client:

Attempt of generating `bedrock_url` automatically failed. If iamintegration=True, provide `bedrock_url` in wml_credentials. If iamintegration=False, validate your credentials.

Check the contents of the wml_credentials dictionary for errors. If you don't find any errors and the issue still appears, check whether during CPD installation the iamintegration parameter was set to True.

If the iamintegration parameter was set to True, add this code snippet to the wml_credentials dictionary:

"bedrock_url": "<foundational services url>"

For more information, see Finding the IBM Cloud Pak foundational services URL.

Learn more

For an example of using authentication with a notebook, see Machine learning Python samples and examples.

Parent topic: Managing predictive deployments