IBM Support

Implement a new approach to credentials for Decision Optimization in Watson Machine Learning

How To


Summary

This note applies to Decision Optimization deployments and solutions in Watson Machine Learning.
Before September 29th, 2021, you need to change the way you provide credentials to access data assets.

Objective

Previously, you could include credentials to directly access a data asset, such as content from Cloud Object Storage or a DB2 table, when you specified the data source for a deployment or Decision Optimization solution in Watson Machine Learning. To simplify the process for connecting to remote data and to avoid the risk of exposing credentials, it will no longer be possible to directly connect to a data asset. Instead, you will create a connection to the data asset to securely store the credentials, and then access the data asset using connection attributes.
This change applies to the WML REST API (/ml/v4) as well as to the WML python client  (ibm-watson-machine-learning package).
Here's an example of a previous payload configuration for Cloud Object Storage:
{
  "id": "solution.json",
  "type": "s3",
  "connection": {
    "endpoint_url": "https://s3.eu-gb.cloud-object-storage.appdomain.cloud",
    "access_key_id": "xxxxxx_my_access_key_id_xxxxxxx",
    "secret_access_key": "xxx_my_secret_access_key_xxxxxx"
  },
  "location": {
    "bucket": "test-lp",
    "path": "solution.json"
  }
}
The new approach to credentials avoids the inclusion of access keys directly in the payload.
Starting September 29th, including inline credentials will no longer work and will generate an error. As a replacement, you can use a connection asset, which stores details of the connection in your deployment space. The connection can be used along with a particular location that points to your input data.

Steps

The easiest way to create a new connection is to use the user interface in Cloud Pak for Data as a Service. Connect to your deployment space and choose Add to space. Select Connection and the type of connection you want to create, for example Cloud Object Storage (infrastructure).
Fill in the credentials including URL, and test your connection.
Edit connection screen

Give your connection a name and save it.

After you reopen the connection, you can get its from the URL. You will need this id to create the deployment job. The URL looks like:

https://dataplatform.cloud.ibm.com/connections/zxxxx_connection_id_xxxxxx?space_id=xxxxxx_space_id_xxxxxxx&context=cpdaas

This process can be automated in a script, and you can use the API described here to create connections programmatically.

The call should be something like.

POST https://api.dataplatform.cloud.ibm.com/v2/connections/?space_id=xxxxxx_space_id_xxxxxxx
Headers:
	>Authorization=[Bearer XXXXX]
	>Content-Type=[application/json]
Entity:
	{
	 "name" : "MYNAME",
	 "datasource_type" : "4bf2dedd-3809-4443-96ec-b7bc5726c07b",
	 "origin_country" : "us",
	 "properties" : {
	  "url" : "https://s3.us-south.objectstorage.softlayer.net",
	  "access_key" : "xxxxxxxx",
	  "secret_key" : "yyyyyyyyyyy"
	 }

You are now ready to modify your deployment job payload to use the newly created connection.

You should modify your payload as shown below.

The of the connection is used in the connection section. Note that this is much safer than previous mechanism where credentials were inserted here. The information included here is useless without the corresponding hidden apikeys.

The and property are set (exactly as before) to point to the particular file you want to use in the Cloud Object Storage instance.

{
  "id": "solution.json",
  "type": "connection_asset",
  "connection": {
    "href": "/v2/connections/xxxxx_my_connection_id_xxxx?space_id=xxxx_my_space_id_xxxxxxx",
  },
  "location": {
    "bucket": "test-lp",
    "file_name": "solution.json"
  }
}

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6JFP","label":"IBM Decision Optimization for Watson Studio"},"ARM Category":[{"code":"a8m0z000000bnloAAA","label":"Modeling->DO"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
20 October 2021

UID

ibm16470611

Page Feedback