question

KlausZuenkler-5575 avatar image
1 Vote"
KlausZuenkler-5575 asked KlausZuenkler-5575 commented

Audio content creation: access denied to existing speech resource

I want to create a model in speech.microsoft.com and fail with a speech resource, where I have contributor access only (no access to the hosting RG of that resource). I can only work with a resource I created in the speech portal.
In the browser I am getting this error (debug window)
Request URL: https://westeurope.customvoice.api.speech.microsoft.com/api/texttospeech/v3.0-beta1/vcg/queryssmlfiles
Request Method: POST
Status Code: 401 Unauthorized

and in the portal notification:
Failed to fetch work files
Error: Authentication is required to access the resource.
Connection ID: d6b9edc0-4115-11eb-ab47-7b202b2f6dea
Audio Content Creation

Which additional right do I need?


azure-speech
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

romungi-MSFT avatar image
0 Votes"
romungi-MSFT answered KlausZuenkler-5575 commented

@KlausZenkler-5575 You could define your custom RBAC roles and restrict the permissions available to the user. In the current scenario there is no option to delete a speech resource from speech studio though.

The list for all Azure are available for download from here. The cognitive services area uses the IPs under CognitiveServicesManagement. This list is dynamic and could change from time to time, if you are planning to block access with the IP list. Depending on your region you can lookup your IP with nslookup and check if the IP is available in the downloaded list. The IP returned in my case is available in the list so you can do a quick check by blocking the IP you see with lookup. I hope this helps.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There should be an easier way to maintain the whitelist for the speech service resource, when we are forced to restrict network access to "selected networks" only like in access rules for NSGs, where you can simply add "CognitiveServicesManagement" as additional tag to allow access.
Maintaining a long dynamic IP list in the networking tab of Speech Resource is prohibitive from an effort perspective.
We need to grant access to dedicated external sources as well so that RBAC does not really help. This can be an additional layer of security. We need to fix the network segregation requirement first.

0 Votes 0 ·
KlausZuenkler-5575 avatar image
0 Votes"
KlausZuenkler-5575 answered KlausZuenkler-5575 commented

I found the reason now:
I the networking tab of the speech resource only "selected networks" were enabled. Switching to "all networks" fixed the issue.
The error messages above are really misleading.

I tried to lock down the networks and added my IP, but this did not help.
Next question is: how to lock down the access so that only Speech portal would work?

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KlausZuenkler-5575 I believe you are referring to locking down speech.microsoft.com which is available on public internet similar to Azure portal. This can probably be achieved using a firewall rule on your network. A simpler solution could be to restrict the access to your speech resources to limited users who log into the portal based on roles assigned to the user.


0 Votes 0 ·

We locked down to the roles already. We would also prefer if a "reader" role would be available to prevent deleting the resource by users.
The client policy prohibits exposure of Azure resources to the Internet, therefore we have to restrict this by a firewall. But where can I find the possible IP range for speech.microsoft.com?

0 Votes 0 ·

Hi, I am new to this. May I know where to find the networking tab?

0 Votes 0 ·

You have to login on the standard Azure portal and open the speech resource there which you want to use in the speech portal. In this resource you can select the networking tab on the left side and then restrict the access. Recently new firewall rules were added to CognitiveServices Management. I did not yet check if this rule is available for Speech resources as well (I tested with QnAMaker only), but this would be a safe option to restrict access on network level on top of the proposed user access restriction above (which is normally in place anyway).

0 Votes 0 ·