Creating and Managing Datastores
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Creating and Managing Datastores in Machine Learning Workspaces
Introduction: Why Datastores Matter
In the lifecycle of any machine learning project, data is the foundation upon which every model is built. However, data is rarely stored in a single, convenient location that is ready for immediate consumption by training scripts. Instead, data lives in various storage services like cloud blobs, file shares, data lakes, or relational databases. Manually managing connection strings, credentials, and access paths within your code is not only tedious but also presents a significant security risk and makes your projects difficult to move between environments.
This is where the concept of a "Datastore" becomes essential. A datastore acts as an abstraction layer between your machine learning workspace and your actual data storage services. By creating a datastore, you register a connection to your storage resource—such as an Azure Blob Storage container or an Amazon S3 bucket—within your workspace. Once registered, your team can access the data using a friendly name rather than dealing with raw connection strings, secrets, or complex network configurations.
Understanding how to create and manage these resources is a core competency for any machine learning engineer or data scientist. It ensures that your pipelines are reproducible, your credentials are kept secure, and your data access patterns are consistent across development, testing, and production environments. In this lesson, we will explore the mechanics of datastores, how to implement them, and the best practices for maintaining them in a professional environment.
Understanding the Architecture of a Datastore
At its simplest level, a datastore is a persistent reference to a storage location. It encapsulates the information required to connect to that storage, such as the account name, container or share name, and the authentication mechanism (like a service principal, shared access signature, or identity-based access).
When you define a datastore in your workspace, you are essentially creating a configuration object that the workspace uses to establish a connection when requested by a training job or a data processing script. This abstraction is critical because it decouples the what (the data) from the how (the storage technology).
Why use Datastores instead of raw connections?
- Security: You can store secrets (like keys or tokens) in a secure Key Vault associated with your workspace. You do not need to hardcode sensitive credentials into your training scripts or notebooks.
- Portability: If you move your data from a development storage account to a production storage account, you only need to update the datastore definition. You do not need to update every single line of code that references that data.
- Governance: Using datastores allows administrators to control who has access to which data sources. You can grant access to a datastore without necessarily granting access to the entire underlying storage account.
- Usability: Data scientists can interact with data using path-based references (e.g.,
datastore://my-data/train.csv) rather than complex URI structures or local file system paths that might not exist on remote compute clusters.
Callout: Datastores vs. Data Assets It is important to distinguish between a "Datastore" and a "Data Asset." A datastore is a connection to the storage service itself (the "where"). A data asset is a pointer to a specific file or folder within that storage (the "what"). You create a datastore to establish the link to the storage, and then you define data assets on top of that datastore to point to your specific datasets.
Types of Supported Storage
Most enterprise machine learning platforms support a variety of storage backends. It is important to choose the right one based on your data volume, access patterns, and performance requirements.
- Blob Storage: The most common storage type. It is ideal for unstructured data like images, logs, or flat files (CSV, Parquet). It is highly scalable and cost-effective.
- File Shares: Useful when you need to mount storage as a disk drive, allowing for POSIX-compliant file operations. This is often used for sharing code or small datasets across multiple nodes.
- Data Lakes (ADLS Gen2): Designed for big data analytics. It supports hierarchical namespaces, which makes managing large directories and granular security permissions much easier than in standard blob storage.
- SQL Databases: While less common for raw training data, some platforms allow you to register SQL databases as datastores to pull query results directly into a training pipeline.
Creating Datastores: Step-by-Step
Creating a datastore typically involves three main inputs: the storage provider type, the authentication credentials, and the destination container or path. While you can often use a graphical user interface (GUI) within your workspace portal to create these, using a software development kit (SDK) or Command Line Interface (CLI) is standard practice for production environments.
Example: Registering an Azure Blob Storage Datastore
In this example, we will use Python to register an existing Azure Blob storage container as a datastore.
from azure.ai.ml import MLClient
from azure.ai.ml.entities import AzureBlobDatastore
from azure.identity import DefaultAzureCredential
# 1. Connect to the workspace
credential = DefaultAzureCredential()
ml_client = MLClient(
credential=credential,
subscription_id="your-subscription-id",
resource_group_name="your-resource-group",
workspace_name="your-workspace-name"
)
# 2. Define the datastore object
blob_datastore = AzureBlobDatastore(
name="training_data_store",
description="Datastore for training datasets",
account_name="mystorageaccount",
container_name="training-data"
)
# 3. Register the datastore in the workspace
ml_client.datastores.create_or_update(blob_datastore)
Explanation of the code:
- Authentication: We use
DefaultAzureCredential, which is a best practice. It automatically tries various authentication methods (like environment variables or managed identities) without requiring you to embed hardcoded secrets. - Object Definition: We create an
AzureBlobDatastoreobject. This defines the metadata for our connection. - Registration: The
create_or_updatemethod sends this configuration to the workspace. If a datastore with this name already exists, it will be updated; otherwise, it will be created.
Note: When using
DefaultAzureCredential, ensure that your local environment or the machine running the code has the necessary permissions (e.g., "Storage Blob Data Contributor") on the target storage account.
Managing Datastores: Listing, Updating, and Deleting
Once you have created datastores, you will need to manage them throughout the project lifecycle. This includes listing available connections, updating them when storage configurations change, and removing them when they are no longer needed.
Listing Datastores
To see what datastores are currently registered in your workspace, you can list them using the client:
# List all datastores
datastores = ml_client.datastores.list()
for ds in datastores:
print(f"Name: {ds.name}, Type: {ds.type}")
Updating Datastores
If you need to point a datastore to a different container or change the description, you simply create a new object with the same name and call the create_or_update method again. This is useful for environment promotions, such as shifting from a "dev" container to a "prod" container while maintaining the same datastore name in your code.
Deleting Datastores
If a storage service is decommissioned, you should remove the corresponding datastore from your workspace to avoid confusion.
# Delete a datastore
ml_client.datastores.delete(name="old_datastore_name")
Security and Access Control
Security is arguably the most important aspect of managing datastores. Because datastores provide a bridge to your data, they must be governed strictly.
Principle of Least Privilege
Always grant the minimum level of permission required. If a service account only needs to read data for a training job, do not provide it with "Storage Blob Data Contributor" (which allows writing and deleting). Instead, use "Storage Blob Data Reader."
Using Identity-Based Access
Avoid using Account Keys or Shared Access Signatures (SAS) whenever possible. These tokens can expire or be leaked. Instead, use Managed Identities. When you use a Managed Identity, the workspace itself is granted access to the storage account. No credentials need to be stored in your code or even in the workspace configuration files, because the identity is handled at the infrastructure level.
Warning: Never Hardcode Secrets Never, under any circumstances, include storage account keys or connection strings in your source code or configuration files that are checked into version control (like Git). Always use managed identities or key vaults to manage these secrets.
Table: Comparison of Authentication Methods
| Method | Security Level | Best For |
|---|---|---|
| Account Key | Low | Quick prototyping, testing. |
| SAS Token | Medium | Temporary access, third-party sharing. |
| Managed Identity | High | Production pipelines, automated jobs. |
| Service Principal | High | Cross-tenant scenarios, CI/CD pipelines. |
Common Pitfalls and How to Avoid Them
Even with a clear understanding of datastores, engineers often run into common traps. Recognizing these early can save hours of debugging.
1. The "Path Not Found" Error
A common issue occurs when the path specified in the datastore does not match the actual path in the storage account. Remember that the datastore typically points to the root of a container or file share. If you are trying to access a subfolder, ensure your code correctly appends that subfolder to the datastore reference.
2. Networking and Firewall Issues
If your storage account has a firewall enabled (which is a best practice), you must ensure that your machine learning workspace is allowed to pass through that firewall. This often requires setting up a "Virtual Network" (VNet) and configuring the storage account to accept traffic from the workspace's subnet. If you find your code hanging when trying to connect, check your VNet and firewall settings first.
3. Credential Expiration
If you are using SAS tokens for your datastores, they will eventually expire. This will cause your training jobs to fail suddenly, even if the code hasn't changed. To avoid this, prefer managed identities which do not expire in the same way, or implement a process to rotate your SAS tokens regularly.
4. Over-Registration
Some teams make the mistake of creating a separate datastore for every single subfolder in their storage account. This leads to "datastore sprawl," where it becomes impossible to find the correct connection. Instead, register the container or the root path as the datastore, and then use your code or data assets to point to the specific subfolders.
Practical Application: Using Datastores in a Training Script
Once a datastore is registered, how do you actually use it in a training script? The most common pattern is to pass the datastore path as an input to a job.
Example: Referencing a Datastore in a Job Configuration
from azure.ai.ml import command, Input
# Define the job
job = command(
code="./src",
command="python train.py --data-path ${{inputs.training_data}}",
inputs={
"training_data": Input(
type="uri_folder",
path="azureml://datastores/training_data_store/paths/data/2023_set/"
)
},
environment="azureml:my-env:1"
)
In this snippet, the path argument uses a special URI format: azureml://datastores/<datastore_name>/paths/<relative_path>. The platform handles the heavy lifting of resolving this URI, authenticating the connection, and mounting or downloading the data to the compute node where the script runs. This keeps your train.py script clean and focused on model logic, rather than storage connection logic.
Best Practices for Enterprise Environments
Managing datastores at scale requires a structured approach. If you are working in a team or enterprise setting, follow these guidelines to keep your workspace clean and secure.
1. Standardization of Naming Conventions
Establish a clear naming convention for your datastores. For example, use a prefix that identifies the environment (e.g., dev-blob-data, prod-blob-data) or the project (e.g., project-alpha-data). This makes it immediately obvious which datastore should be used for which task.
2. Documentation and Metadata
Use the description field when creating datastores. Include information about what the data is, who owns it, and the data retention policy. This metadata is invaluable for other team members who might be browsing the workspace.
3. Automation and Infrastructure as Code (IaC)
Do not create datastores manually through the portal for production workloads. Use tools like Terraform, Bicep, or Pulumi to define your datastores as part of your infrastructure code. This ensures that your workspace configuration is versioned and can be recreated exactly as it was if a disaster occurs.
4. Regular Audits
Periodically review your registered datastores. Remove any that are no longer in use, and verify that the permissions associated with them are still appropriate. As personnel leave the team or projects end, access rights can become bloated; auditing helps maintain a "least privilege" posture.
Callout: Datastores in CI/CD Pipelines In a robust CI/CD pipeline, you should have different datastores for different environments. Your build process should automatically register the correct datastore for the target environment (e.g., pointing to the "test" blob container during testing and the "production" container during deployment). This ensures your training jobs are always running against the correct data without manual intervention.
Advanced Management: Syncing and Data Versions
While standard datastores are excellent for static connections, modern machine learning often requires handling data versions. If your data changes frequently, you might find yourself needing to track which version of the data was used for a specific model training run.
Data Assets vs. Datastores
While this lesson focuses on datastores, remember that datastores are the underlying connection. You should use Data Assets for versioning. You can define a data asset that points to a specific path within a datastore and give it a version number (e.g., v1, v2). This allows you to track that "Model A was trained on Data Asset v1, while Model B was trained on Data Asset v2," even though both assets reside in the same datastore.
Handling Large Datasets
If your dataset is massive (terabytes of data), you don't want to copy that data to your compute cluster every time you run a job. Datastores support two primary ways of accessing data:
- Download: The data is copied to the compute cluster's local disk before the script starts. Good for small to medium datasets.
- Mount: The storage is virtually "mounted" to the compute cluster, allowing the script to stream data as it needs it. This is much faster for large datasets and avoids high egress costs.
Choose the access mode based on your specific needs. If your script performs random access across a huge dataset, mounting is usually the better choice. If your script performs a single, linear pass over the data, downloading might provide better performance by reducing network latency during the training loop.
Troubleshooting Checklist
If you are struggling to get a datastore working, walk through this checklist:
- Connectivity: Can the compute resource reach the storage account? Check for VNet/Firewall blocks.
- Permissions: Does the identity (Service Principal or Managed Identity) have the "Storage Blob Data Reader" or "Contributor" role on the target storage account?
- Name Resolution: Is there a typo in the datastore name? Remember that these names are case-sensitive in many platforms.
- Path Validity: Does the container or file share actually exist? Double-check the container name in the storage account portal.
- Authentication Type: Are you trying to use a key-based datastore when your organization has disabled key access in favor of Azure AD/Identity-based authentication? This is a common security hardening step in many enterprises.
Key Takeaways
Creating and managing datastores is a fundamental skill that enables scalable, secure, and reproducible machine learning. By abstracting the storage layer, you ensure that your team can focus on data science rather than infrastructure configuration.
- Abstraction is Key: Datastores decouple your code from the physical storage, allowing for easier environment migration and maintenance.
- Security First: Always prioritize identity-based authentication (Managed Identities) over secrets or connection strings to keep your data secure.
- Naming and Documentation: Use consistent naming conventions and descriptive metadata to keep your workspace organized as your project scales.
- IaC Integration: Treat datastores as infrastructure. Use automation tools to define and deploy them rather than relying on manual portal configuration.
- Access Modes: Understand the difference between mounting and downloading data. Choosing the right access mode for your data volume can significantly improve training performance and reduce costs.
- Principle of Least Privilege: Regularly audit your datastore permissions to ensure that only authorized users and processes have access to your data.
- Version Control: Use datastores as the base for Data Assets to track data versions, ensuring that your model training results are always reproducible and auditable.
By mastering these concepts, you transition from simply "running scripts" to building a professional, stable machine learning ecosystem that can support complex projects and large teams. The time you invest in setting up these resources correctly at the beginning will pay significant dividends in stability and security throughout your project's lifecycle.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons