Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-10-01-preview
- 2025-09-01
- 2025-07-01-preview
- 2025-06-01
- 2025-04-01
- 2025-04-01-preview
- 2025-01-01-preview
- 2024-10-01
- 2024-10-01-preview
- 2024-07-01-preview
- 2024-04-01
- 2024-04-01-preview
- 2024-01-01-preview
- 2023-10-01
- 2023-08-01-preview
- 2023-06-01-preview
- 2023-04-01
- 2023-04-01-preview
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-10-01
- 2022-10-01-preview
- 2022-06-01-preview
- 2022-05-01
- 2022-02-01-preview
- 2021-03-01-preview
- 2020-05-01-preview
Bicep resource definition
The workspaces/datastores resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.MachineLearningServices/workspaces/datastores resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.MachineLearningServices/workspaces/datastores@2025-04-01' = {
parent: resourceSymbolicName
name: 'string'
properties: {
credentials: {
credentialsType: 'string'
// For remaining properties, see DatastoreCredentials objects
}
description: 'string'
properties: {
{customized property}: 'string'
}
tags: {
{customized property}: 'string'
}
datastoreType: 'string'
// For remaining properties, see DatastoreProperties objects
}
}
DatastoreCredentials objects
Set the credentialsType property to specify the type of object.
For AccountKey, use:
{
credentialsType: 'AccountKey'
secrets: {
key: 'string'
secretsType: 'string'
}
}
For Certificate, use:
{
authorityUrl: 'string'
clientId: 'string'
credentialsType: 'Certificate'
resourceUrl: 'string'
secrets: {
certificate: 'string'
secretsType: 'string'
}
tenantId: 'string'
thumbprint: 'string'
}
For None, use:
{
credentialsType: 'None'
}
For Sas, use:
{
credentialsType: 'Sas'
secrets: {
sasToken: 'string'
secretsType: 'string'
}
}
For ServicePrincipal, use:
{
authorityUrl: 'string'
clientId: 'string'
credentialsType: 'ServicePrincipal'
resourceUrl: 'string'
secrets: {
clientSecret: 'string'
secretsType: 'string'
}
tenantId: 'string'
}
OneLakeArtifact objects
Set the artifactType property to specify the type of object.
For LakeHouse, use:
{
artifactType: 'LakeHouse'
}
DatastoreProperties objects
Set the datastoreType property to specify the type of object.
For AzureBlob, use:
{
accountName: 'string'
containerName: 'string'
datastoreType: 'AzureBlob'
endpoint: 'string'
protocol: 'string'
resourceGroup: 'string'
serviceDataAccessAuthIdentity: 'string'
subscriptionId: 'string'
}
For AzureDataLakeGen1, use:
{
datastoreType: 'AzureDataLakeGen1'
resourceGroup: 'string'
serviceDataAccessAuthIdentity: 'string'
storeName: 'string'
subscriptionId: 'string'
}
For AzureDataLakeGen2, use:
{
accountName: 'string'
datastoreType: 'AzureDataLakeGen2'
endpoint: 'string'
filesystem: 'string'
protocol: 'string'
resourceGroup: 'string'
serviceDataAccessAuthIdentity: 'string'
subscriptionId: 'string'
}
For AzureFile, use:
{
accountName: 'string'
datastoreType: 'AzureFile'
endpoint: 'string'
fileShareName: 'string'
protocol: 'string'
resourceGroup: 'string'
serviceDataAccessAuthIdentity: 'string'
subscriptionId: 'string'
}
For OneLake, use:
{
artifact: {
artifactName: 'string'
artifactType: 'string'
// For remaining properties, see OneLakeArtifact objects
}
datastoreType: 'OneLake'
endpoint: 'string'
oneLakeWorkspaceName: 'string'
serviceDataAccessAuthIdentity: 'string'
}
Property Values
Microsoft.MachineLearningServices/workspaces/datastores
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9][a-zA-Z0-9\-_]{0,254}$ (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: workspaces |
| properties | [Required] Additional attributes of the entity. | DatastoreProperties (required) |
AccountKeyDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | [Required] Credential type used to authentication with storage. | 'AccountKey' (required) |
| secrets | [Required] Storage account secrets. | AccountKeyDatastoreSecrets (required) |
AccountKeyDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| key | Storage account key. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
AzureBlobDatastore
| Name | Description | Value |
|---|---|---|
| accountName | Storage account name. | string |
| containerName | Storage account container name. | string |
| datastoreType | [Required] Storage type backing the datastore. | 'AzureBlob' (required) |
| endpoint | Azure cloud endpoint for the storage account. | string |
| protocol | Protocol used to communicate with the storage account. | string |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| subscriptionId | Azure Subscription Id | string |
AzureDataLakeGen1Datastore
| Name | Description | Value |
|---|---|---|
| datastoreType | [Required] Storage type backing the datastore. | 'AzureDataLakeGen1' (required) |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| storeName | [Required] Azure Data Lake store name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| subscriptionId | Azure Subscription Id | string |
AzureDataLakeGen2Datastore
| Name | Description | Value |
|---|---|---|
| accountName | [Required] Storage account name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| datastoreType | [Required] Storage type backing the datastore. | 'AzureDataLakeGen2' (required) |
| endpoint | Azure cloud endpoint for the storage account. | string |
| filesystem | [Required] The name of the Data Lake Gen2 filesystem. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| protocol | Protocol used to communicate with the storage account. | string |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| subscriptionId | Azure Subscription Id | string |
AzureFileDatastore
| Name | Description | Value |
|---|---|---|
| accountName | [Required] Storage account name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| datastoreType | [Required] Storage type backing the datastore. | 'AzureFile' (required) |
| endpoint | Azure cloud endpoint for the storage account. | string |
| fileShareName | [Required] The name of the Azure file share that the datastore points to. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| protocol | Protocol used to communicate with the storage account. | string |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| subscriptionId | Azure Subscription Id | string |
CertificateDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| authorityUrl | Authority URL used for authentication. | string |
| clientId | [Required] Service principal client ID. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| credentialsType | [Required] Credential type used to authentication with storage. | 'Certificate' (required) |
| resourceUrl | Resource the service principal has access to. | string |
| secrets | [Required] Service principal secrets. | CertificateDatastoreSecrets (required) |
| tenantId | [Required] ID of the tenant to which the service principal belongs. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| thumbprint | [Required] Thumbprint of the certificate used for authentication. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
CertificateDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| certificate | Service principal certificate. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
DatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | Set to 'AccountKey' for type AccountKeyDatastoreCredentials. Set to 'Certificate' for type CertificateDatastoreCredentials. Set to 'None' for type NoneDatastoreCredentials. Set to 'Sas' for type SasDatastoreCredentials. Set to 'ServicePrincipal' for type ServicePrincipalDatastoreCredentials. | 'AccountKey' 'Certificate' 'None' 'Sas' 'ServicePrincipal' (required) |
DatastoreProperties
| Name | Description | Value |
|---|---|---|
| credentials | [Required] Account credentials. | DatastoreCredentials (required) |
| datastoreType | Set to 'AzureBlob' for type AzureBlobDatastore. Set to 'AzureDataLakeGen1' for type AzureDataLakeGen1Datastore. Set to 'AzureDataLakeGen2' for type AzureDataLakeGen2Datastore. Set to 'AzureFile' for type AzureFileDatastore. Set to 'OneLake' for type OneLakeDatastore. | 'AzureBlob' 'AzureDataLakeGen1' 'AzureDataLakeGen2' 'AzureFile' 'OneLake' (required) |
| description | The asset description text. | string |
| properties | The asset property dictionary. | ResourceBaseProperties |
| tags | Tag dictionary. Tags can be added, removed, and updated. | ResourceBaseTags |
LakeHouseArtifact
| Name | Description | Value |
|---|---|---|
| artifactType | [Required] OneLake artifact type | 'LakeHouse' (required) |
NoneDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | [Required] Credential type used to authentication with storage. | 'None' (required) |
OneLakeArtifact
| Name | Description | Value |
|---|---|---|
| artifactName | [Required] OneLake artifact name | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| artifactType | Set to 'LakeHouse' for type LakeHouseArtifact. | 'LakeHouse' (required) |
OneLakeDatastore
| Name | Description | Value |
|---|---|---|
| artifact | [Required] OneLake artifact backing the datastore. | OneLakeArtifact (required) |
| datastoreType | [Required] Storage type backing the datastore. | 'OneLake' (required) |
| endpoint | OneLake endpoint to use for the datastore. | string |
| oneLakeWorkspaceName | [Required] OneLake workspace name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
ResourceBaseProperties
| Name | Description | Value |
|---|
ResourceBaseTags
| Name | Description | Value |
|---|
SasDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | [Required] Credential type used to authentication with storage. | 'Sas' (required) |
| secrets | [Required] Storage container secrets. | SasDatastoreSecrets (required) |
SasDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| sasToken | Storage container SAS token. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
ServicePrincipalDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| authorityUrl | Authority URL used for authentication. | string |
| clientId | [Required] Service principal client ID. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| credentialsType | [Required] Credential type used to authentication with storage. | 'ServicePrincipal' (required) |
| resourceUrl | Resource the service principal has access to. | string |
| secrets | [Required] Service principal secrets. | ServicePrincipalDatastoreSecrets (required) |
| tenantId | [Required] ID of the tenant to which the service principal belongs. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
ServicePrincipalDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| clientSecret | Service principal secret. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
ARM template resource definition
The workspaces/datastores resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.MachineLearningServices/workspaces/datastores resource, add the following JSON to your template.
{
"type": "Microsoft.MachineLearningServices/workspaces/datastores",
"apiVersion": "2025-04-01",
"name": "string",
"properties": {
"credentials": {
"credentialsType": "string"
// For remaining properties, see DatastoreCredentials objects
},
"description": "string",
"properties": {
"{customized property}": "string"
},
"tags": {
"{customized property}": "string"
},
"datastoreType": "string"
// For remaining properties, see DatastoreProperties objects
}
}
DatastoreCredentials objects
Set the credentialsType property to specify the type of object.
For AccountKey, use:
{
"credentialsType": "AccountKey",
"secrets": {
"key": "string",
"secretsType": "string"
}
}
For Certificate, use:
{
"authorityUrl": "string",
"clientId": "string",
"credentialsType": "Certificate",
"resourceUrl": "string",
"secrets": {
"certificate": "string",
"secretsType": "string"
},
"tenantId": "string",
"thumbprint": "string"
}
For None, use:
{
"credentialsType": "None"
}
For Sas, use:
{
"credentialsType": "Sas",
"secrets": {
"sasToken": "string",
"secretsType": "string"
}
}
For ServicePrincipal, use:
{
"authorityUrl": "string",
"clientId": "string",
"credentialsType": "ServicePrincipal",
"resourceUrl": "string",
"secrets": {
"clientSecret": "string",
"secretsType": "string"
},
"tenantId": "string"
}
OneLakeArtifact objects
Set the artifactType property to specify the type of object.
For LakeHouse, use:
{
"artifactType": "LakeHouse"
}
DatastoreProperties objects
Set the datastoreType property to specify the type of object.
For AzureBlob, use:
{
"accountName": "string",
"containerName": "string",
"datastoreType": "AzureBlob",
"endpoint": "string",
"protocol": "string",
"resourceGroup": "string",
"serviceDataAccessAuthIdentity": "string",
"subscriptionId": "string"
}
For AzureDataLakeGen1, use:
{
"datastoreType": "AzureDataLakeGen1",
"resourceGroup": "string",
"serviceDataAccessAuthIdentity": "string",
"storeName": "string",
"subscriptionId": "string"
}
For AzureDataLakeGen2, use:
{
"accountName": "string",
"datastoreType": "AzureDataLakeGen2",
"endpoint": "string",
"filesystem": "string",
"protocol": "string",
"resourceGroup": "string",
"serviceDataAccessAuthIdentity": "string",
"subscriptionId": "string"
}
For AzureFile, use:
{
"accountName": "string",
"datastoreType": "AzureFile",
"endpoint": "string",
"fileShareName": "string",
"protocol": "string",
"resourceGroup": "string",
"serviceDataAccessAuthIdentity": "string",
"subscriptionId": "string"
}
For OneLake, use:
{
"artifact": {
"artifactName": "string",
"artifactType": "string"
// For remaining properties, see OneLakeArtifact objects
},
"datastoreType": "OneLake",
"endpoint": "string",
"oneLakeWorkspaceName": "string",
"serviceDataAccessAuthIdentity": "string"
}
Property Values
Microsoft.MachineLearningServices/workspaces/datastores
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2025-04-01' |
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9][a-zA-Z0-9\-_]{0,254}$ (required) |
| properties | [Required] Additional attributes of the entity. | DatastoreProperties (required) |
| type | The resource type | 'Microsoft.MachineLearningServices/workspaces/datastores' |
AccountKeyDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | [Required] Credential type used to authentication with storage. | 'AccountKey' (required) |
| secrets | [Required] Storage account secrets. | AccountKeyDatastoreSecrets (required) |
AccountKeyDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| key | Storage account key. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
AzureBlobDatastore
| Name | Description | Value |
|---|---|---|
| accountName | Storage account name. | string |
| containerName | Storage account container name. | string |
| datastoreType | [Required] Storage type backing the datastore. | 'AzureBlob' (required) |
| endpoint | Azure cloud endpoint for the storage account. | string |
| protocol | Protocol used to communicate with the storage account. | string |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| subscriptionId | Azure Subscription Id | string |
AzureDataLakeGen1Datastore
| Name | Description | Value |
|---|---|---|
| datastoreType | [Required] Storage type backing the datastore. | 'AzureDataLakeGen1' (required) |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| storeName | [Required] Azure Data Lake store name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| subscriptionId | Azure Subscription Id | string |
AzureDataLakeGen2Datastore
| Name | Description | Value |
|---|---|---|
| accountName | [Required] Storage account name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| datastoreType | [Required] Storage type backing the datastore. | 'AzureDataLakeGen2' (required) |
| endpoint | Azure cloud endpoint for the storage account. | string |
| filesystem | [Required] The name of the Data Lake Gen2 filesystem. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| protocol | Protocol used to communicate with the storage account. | string |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| subscriptionId | Azure Subscription Id | string |
AzureFileDatastore
| Name | Description | Value |
|---|---|---|
| accountName | [Required] Storage account name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| datastoreType | [Required] Storage type backing the datastore. | 'AzureFile' (required) |
| endpoint | Azure cloud endpoint for the storage account. | string |
| fileShareName | [Required] The name of the Azure file share that the datastore points to. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| protocol | Protocol used to communicate with the storage account. | string |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| subscriptionId | Azure Subscription Id | string |
CertificateDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| authorityUrl | Authority URL used for authentication. | string |
| clientId | [Required] Service principal client ID. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| credentialsType | [Required] Credential type used to authentication with storage. | 'Certificate' (required) |
| resourceUrl | Resource the service principal has access to. | string |
| secrets | [Required] Service principal secrets. | CertificateDatastoreSecrets (required) |
| tenantId | [Required] ID of the tenant to which the service principal belongs. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| thumbprint | [Required] Thumbprint of the certificate used for authentication. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
CertificateDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| certificate | Service principal certificate. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
DatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | Set to 'AccountKey' for type AccountKeyDatastoreCredentials. Set to 'Certificate' for type CertificateDatastoreCredentials. Set to 'None' for type NoneDatastoreCredentials. Set to 'Sas' for type SasDatastoreCredentials. Set to 'ServicePrincipal' for type ServicePrincipalDatastoreCredentials. | 'AccountKey' 'Certificate' 'None' 'Sas' 'ServicePrincipal' (required) |
DatastoreProperties
| Name | Description | Value |
|---|---|---|
| credentials | [Required] Account credentials. | DatastoreCredentials (required) |
| datastoreType | Set to 'AzureBlob' for type AzureBlobDatastore. Set to 'AzureDataLakeGen1' for type AzureDataLakeGen1Datastore. Set to 'AzureDataLakeGen2' for type AzureDataLakeGen2Datastore. Set to 'AzureFile' for type AzureFileDatastore. Set to 'OneLake' for type OneLakeDatastore. | 'AzureBlob' 'AzureDataLakeGen1' 'AzureDataLakeGen2' 'AzureFile' 'OneLake' (required) |
| description | The asset description text. | string |
| properties | The asset property dictionary. | ResourceBaseProperties |
| tags | Tag dictionary. Tags can be added, removed, and updated. | ResourceBaseTags |
LakeHouseArtifact
| Name | Description | Value |
|---|---|---|
| artifactType | [Required] OneLake artifact type | 'LakeHouse' (required) |
NoneDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | [Required] Credential type used to authentication with storage. | 'None' (required) |
OneLakeArtifact
| Name | Description | Value |
|---|---|---|
| artifactName | [Required] OneLake artifact name | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| artifactType | Set to 'LakeHouse' for type LakeHouseArtifact. | 'LakeHouse' (required) |
OneLakeDatastore
| Name | Description | Value |
|---|---|---|
| artifact | [Required] OneLake artifact backing the datastore. | OneLakeArtifact (required) |
| datastoreType | [Required] Storage type backing the datastore. | 'OneLake' (required) |
| endpoint | OneLake endpoint to use for the datastore. | string |
| oneLakeWorkspaceName | [Required] OneLake workspace name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
ResourceBaseProperties
| Name | Description | Value |
|---|
ResourceBaseTags
| Name | Description | Value |
|---|
SasDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | [Required] Credential type used to authentication with storage. | 'Sas' (required) |
| secrets | [Required] Storage container secrets. | SasDatastoreSecrets (required) |
SasDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| sasToken | Storage container SAS token. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
ServicePrincipalDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| authorityUrl | Authority URL used for authentication. | string |
| clientId | [Required] Service principal client ID. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| credentialsType | [Required] Credential type used to authentication with storage. | 'ServicePrincipal' (required) |
| resourceUrl | Resource the service principal has access to. | string |
| secrets | [Required] Service principal secrets. | ServicePrincipalDatastoreSecrets (required) |
| tenantId | [Required] ID of the tenant to which the service principal belongs. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
ServicePrincipalDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| clientSecret | Service principal secret. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Create a Blob Storage Datastore |
This template creates a blob storage datastore in Azure Machine Learning workspace. |
| Create a Databricks File System Datastore |
This template creates a Databricks File System datastore in Azure Machine Learning workspace. |
| Create a File Share Datastore |
This template creates a file share datastore in Azure Machine Learning workspace. |
| Create AML workspace with multiple Datasets & Datastores |
This template creates Azure Machine Learning workspace with multiple datasets & datastores. |
| Create an Azure ADLS Datastore |
This template creates a ADLS datastore in Azure Machine Learning workspace. |
| Create an Azure ADLS Gen2 Datastore |
This template creates a ADLS Gen2 datastore in Azure Machine Learning workspace. |
| Create an Azure MySQL Datastore |
This template creates a MySQL datastore in Azure Machine Learning workspace. |
| Create an Azure PostgreSQL Datastore |
This template creates a PostgreSQL datastore in Azure Machine Learning workspace. |
| Create an Azure SQL Datastore |
This template creates a SQL datastore in Azure Machine Learning workspace. |
Terraform (AzAPI provider) resource definition
The workspaces/datastores resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.MachineLearningServices/workspaces/datastores resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.MachineLearningServices/workspaces/datastores@2025-04-01"
name = "string"
parent_id = "string"
body = {
properties = {
credentials = {
credentialsType = "string"
// For remaining properties, see DatastoreCredentials objects
}
description = "string"
properties = {
{customized property} = "string"
}
tags = {
{customized property} = "string"
}
datastoreType = "string"
// For remaining properties, see DatastoreProperties objects
}
}
}
DatastoreCredentials objects
Set the credentialsType property to specify the type of object.
For AccountKey, use:
{
credentialsType = "AccountKey"
secrets = {
key = "string"
secretsType = "string"
}
}
For Certificate, use:
{
authorityUrl = "string"
clientId = "string"
credentialsType = "Certificate"
resourceUrl = "string"
secrets = {
certificate = "string"
secretsType = "string"
}
tenantId = "string"
thumbprint = "string"
}
For None, use:
{
credentialsType = "None"
}
For Sas, use:
{
credentialsType = "Sas"
secrets = {
sasToken = "string"
secretsType = "string"
}
}
For ServicePrincipal, use:
{
authorityUrl = "string"
clientId = "string"
credentialsType = "ServicePrincipal"
resourceUrl = "string"
secrets = {
clientSecret = "string"
secretsType = "string"
}
tenantId = "string"
}
OneLakeArtifact objects
Set the artifactType property to specify the type of object.
For LakeHouse, use:
{
artifactType = "LakeHouse"
}
DatastoreProperties objects
Set the datastoreType property to specify the type of object.
For AzureBlob, use:
{
accountName = "string"
containerName = "string"
datastoreType = "AzureBlob"
endpoint = "string"
protocol = "string"
resourceGroup = "string"
serviceDataAccessAuthIdentity = "string"
subscriptionId = "string"
}
For AzureDataLakeGen1, use:
{
datastoreType = "AzureDataLakeGen1"
resourceGroup = "string"
serviceDataAccessAuthIdentity = "string"
storeName = "string"
subscriptionId = "string"
}
For AzureDataLakeGen2, use:
{
accountName = "string"
datastoreType = "AzureDataLakeGen2"
endpoint = "string"
filesystem = "string"
protocol = "string"
resourceGroup = "string"
serviceDataAccessAuthIdentity = "string"
subscriptionId = "string"
}
For AzureFile, use:
{
accountName = "string"
datastoreType = "AzureFile"
endpoint = "string"
fileShareName = "string"
protocol = "string"
resourceGroup = "string"
serviceDataAccessAuthIdentity = "string"
subscriptionId = "string"
}
For OneLake, use:
{
artifact = {
artifactName = "string"
artifactType = "string"
// For remaining properties, see OneLakeArtifact objects
}
datastoreType = "OneLake"
endpoint = "string"
oneLakeWorkspaceName = "string"
serviceDataAccessAuthIdentity = "string"
}
Property Values
Microsoft.MachineLearningServices/workspaces/datastores
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9][a-zA-Z0-9\-_]{0,254}$ (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: workspaces |
| properties | [Required] Additional attributes of the entity. | DatastoreProperties (required) |
| type | The resource type | "Microsoft.MachineLearningServices/workspaces/datastores@2025-04-01" |
AccountKeyDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | [Required] Credential type used to authentication with storage. | 'AccountKey' (required) |
| secrets | [Required] Storage account secrets. | AccountKeyDatastoreSecrets (required) |
AccountKeyDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| key | Storage account key. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
AzureBlobDatastore
| Name | Description | Value |
|---|---|---|
| accountName | Storage account name. | string |
| containerName | Storage account container name. | string |
| datastoreType | [Required] Storage type backing the datastore. | 'AzureBlob' (required) |
| endpoint | Azure cloud endpoint for the storage account. | string |
| protocol | Protocol used to communicate with the storage account. | string |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| subscriptionId | Azure Subscription Id | string |
AzureDataLakeGen1Datastore
| Name | Description | Value |
|---|---|---|
| datastoreType | [Required] Storage type backing the datastore. | 'AzureDataLakeGen1' (required) |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| storeName | [Required] Azure Data Lake store name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| subscriptionId | Azure Subscription Id | string |
AzureDataLakeGen2Datastore
| Name | Description | Value |
|---|---|---|
| accountName | [Required] Storage account name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| datastoreType | [Required] Storage type backing the datastore. | 'AzureDataLakeGen2' (required) |
| endpoint | Azure cloud endpoint for the storage account. | string |
| filesystem | [Required] The name of the Data Lake Gen2 filesystem. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| protocol | Protocol used to communicate with the storage account. | string |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| subscriptionId | Azure Subscription Id | string |
AzureFileDatastore
| Name | Description | Value |
|---|---|---|
| accountName | [Required] Storage account name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| datastoreType | [Required] Storage type backing the datastore. | 'AzureFile' (required) |
| endpoint | Azure cloud endpoint for the storage account. | string |
| fileShareName | [Required] The name of the Azure file share that the datastore points to. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| protocol | Protocol used to communicate with the storage account. | string |
| resourceGroup | Azure Resource Group name | string |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
| subscriptionId | Azure Subscription Id | string |
CertificateDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| authorityUrl | Authority URL used for authentication. | string |
| clientId | [Required] Service principal client ID. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| credentialsType | [Required] Credential type used to authentication with storage. | 'Certificate' (required) |
| resourceUrl | Resource the service principal has access to. | string |
| secrets | [Required] Service principal secrets. | CertificateDatastoreSecrets (required) |
| tenantId | [Required] ID of the tenant to which the service principal belongs. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| thumbprint | [Required] Thumbprint of the certificate used for authentication. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
CertificateDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| certificate | Service principal certificate. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
DatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | Set to 'AccountKey' for type AccountKeyDatastoreCredentials. Set to 'Certificate' for type CertificateDatastoreCredentials. Set to 'None' for type NoneDatastoreCredentials. Set to 'Sas' for type SasDatastoreCredentials. Set to 'ServicePrincipal' for type ServicePrincipalDatastoreCredentials. | 'AccountKey' 'Certificate' 'None' 'Sas' 'ServicePrincipal' (required) |
DatastoreProperties
| Name | Description | Value |
|---|---|---|
| credentials | [Required] Account credentials. | DatastoreCredentials (required) |
| datastoreType | Set to 'AzureBlob' for type AzureBlobDatastore. Set to 'AzureDataLakeGen1' for type AzureDataLakeGen1Datastore. Set to 'AzureDataLakeGen2' for type AzureDataLakeGen2Datastore. Set to 'AzureFile' for type AzureFileDatastore. Set to 'OneLake' for type OneLakeDatastore. | 'AzureBlob' 'AzureDataLakeGen1' 'AzureDataLakeGen2' 'AzureFile' 'OneLake' (required) |
| description | The asset description text. | string |
| properties | The asset property dictionary. | ResourceBaseProperties |
| tags | Tag dictionary. Tags can be added, removed, and updated. | ResourceBaseTags |
LakeHouseArtifact
| Name | Description | Value |
|---|---|---|
| artifactType | [Required] OneLake artifact type | 'LakeHouse' (required) |
NoneDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | [Required] Credential type used to authentication with storage. | 'None' (required) |
OneLakeArtifact
| Name | Description | Value |
|---|---|---|
| artifactName | [Required] OneLake artifact name | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| artifactType | Set to 'LakeHouse' for type LakeHouseArtifact. | 'LakeHouse' (required) |
OneLakeDatastore
| Name | Description | Value |
|---|---|---|
| artifact | [Required] OneLake artifact backing the datastore. | OneLakeArtifact (required) |
| datastoreType | [Required] Storage type backing the datastore. | 'OneLake' (required) |
| endpoint | OneLake endpoint to use for the datastore. | string |
| oneLakeWorkspaceName | [Required] OneLake workspace name. | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| serviceDataAccessAuthIdentity | Indicates which identity to use to authenticate service data access to customer's storage. | 'None' 'WorkspaceSystemAssignedIdentity' 'WorkspaceUserAssignedIdentity' |
ResourceBaseProperties
| Name | Description | Value |
|---|
ResourceBaseTags
| Name | Description | Value |
|---|
SasDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| credentialsType | [Required] Credential type used to authentication with storage. | 'Sas' (required) |
| secrets | [Required] Storage container secrets. | SasDatastoreSecrets (required) |
SasDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| sasToken | Storage container SAS token. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
ServicePrincipalDatastoreCredentials
| Name | Description | Value |
|---|---|---|
| authorityUrl | Authority URL used for authentication. | string |
| clientId | [Required] Service principal client ID. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| credentialsType | [Required] Credential type used to authentication with storage. | 'ServicePrincipal' (required) |
| resourceUrl | Resource the service principal has access to. | string |
| secrets | [Required] Service principal secrets. | ServicePrincipalDatastoreSecrets (required) |
| tenantId | [Required] ID of the tenant to which the service principal belongs. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
ServicePrincipalDatastoreSecrets
| Name | Description | Value |
|---|---|---|
| clientSecret | Service principal secret. | string |
| secretsType | [Required] Credential type used to authentication with storage. | 'AccountKey' 'Certificate' 'Sas' 'ServicePrincipal' (required) |
Usage Examples
Terraform Samples
A basic example of deploying Machine Learning DataStore.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
data "azapi_client_config" "current" {}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westus"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "component" {
type = "Microsoft.Insights/components@2020-02-02"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}-ai"
location = var.location
body = {
kind = "web"
properties = {
Application_Type = "web"
DisableIpMasking = false
DisableLocalAuth = false
ForceCustomerStorageForProfiler = false
RetentionInDays = 90
SamplingPercentage = 100
publicNetworkAccessForIngestion = "Enabled"
publicNetworkAccessForQuery = "Enabled"
}
}
}
resource "azapi_resource" "vault" {
type = "Microsoft.KeyVault/vaults@2023-02-01"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}vault"
location = var.location
body = {
properties = {
accessPolicies = []
createMode = "default"
enablePurgeProtection = true
enableRbacAuthorization = false
enableSoftDelete = true
enabledForDeployment = false
enabledForDiskEncryption = false
enabledForTemplateDeployment = false
publicNetworkAccess = "Enabled"
sku = {
family = "A"
name = "standard"
}
tenantId = data.azapi_client_config.current.tenant_id
}
}
}
resource "azapi_resource" "storageAccount" {
type = "Microsoft.Storage/storageAccounts@2023-05-01"
parent_id = azapi_resource.resourceGroup.id
name = "${lower(substr(var.resource_name, 0, 16))}acc"
location = var.location
body = {
kind = "StorageV2"
properties = {
accessTier = "Hot"
allowBlobPublicAccess = true
allowCrossTenantReplication = false
allowSharedKeyAccess = true
defaultToOAuthAuthentication = false
dnsEndpointType = "Standard"
encryption = {
keySource = "Microsoft.Storage"
services = {
queue = {
keyType = "Service"
}
table = {
keyType = "Service"
}
}
}
isHnsEnabled = false
isLocalUserEnabled = true
isNfsV3Enabled = false
isSftpEnabled = false
minimumTlsVersion = "TLS1_2"
networkAcls = {
bypass = "AzureServices"
defaultAction = "Allow"
ipRules = []
resourceAccessRules = []
virtualNetworkRules = []
}
publicNetworkAccess = "Enabled"
supportsHttpsTrafficOnly = true
}
sku = {
name = "Standard_LRS"
}
}
}
resource "azapi_resource" "container" {
type = "Microsoft.Storage/storageAccounts/blobServices/containers@2023-05-01"
parent_id = "${azapi_resource.storageAccount.id}/blobServices/default"
name = "datacontainer"
body = {
properties = {
publicAccess = "None"
}
}
}
data "azapi_resource_action" "storage_keys" {
type = "Microsoft.Storage/storageAccounts@2023-05-01"
resource_id = azapi_resource.storageAccount.id
action = "listKeys"
method = "POST"
response_export_values = ["*"]
}
resource "azapi_resource" "workspace" {
type = "Microsoft.MachineLearningServices/workspaces@2024-04-01"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}-mlw"
location = var.location
identity {
type = "SystemAssigned"
identity_ids = []
}
body = {
kind = "Default"
properties = {
applicationInsights = azapi_resource.component.id
keyVault = azapi_resource.vault.id
publicNetworkAccess = "Enabled"
storageAccount = azapi_resource.storageAccount.id
v1LegacyMode = false
}
sku = {
name = "Basic"
tier = "Basic"
}
}
}
resource "azapi_resource" "dataStore" {
type = "Microsoft.MachineLearningServices/workspaces/dataStores@2024-04-01"
parent_id = azapi_resource.workspace.id
name = replace("${var.resource_name}_ds", "-", "_")
body = {
properties = {
accountName = azapi_resource.storageAccount.name
containerName = azapi_resource.container.name
credentials = {
credentialsType = "AccountKey"
secrets = {
key = base64encode(data.azapi_resource_action.storage_keys.output.keys[0].value)
secretsType = "AccountKey"
}
}
datastoreType = "AzureBlob"
description = ""
endpoint = "core.windows.net"
serviceDataAccessAuthIdentity = "None"
tags = null
}
}
depends_on = [azapi_resource.container]
}