Authenticate to Azure OpenAI the right way using Microsoft Entra ID
HTML-код
- Опубликовано: 27 май 2024
- Many developers authenticate to Azure OpenAI using access keys when they should be using Microsoft Entra ID (formerly Azure Active Directory) both locally and in production. Access keys are fine for getting started and disposable tutorials, but they inherently bring security risks and bad practices. For production or enterprise environments, you'll definitely want to use a more robust solution, so in this video we'll explore how to connect to OpenAI using Role Based Access Control (RBAC) with Microsoft Entra ID.
Build an AI app with your own data: • Learn Azure OpenAI - C...
00:00:00 Intro
00:00:50 Scenario Overview
00:01:56 Entra ID Overview
00: 03:51 Local Auth
00:10:18 Production Auth
00:16:10 Additional topics 
Наука
Been looking everywhere for it.
Thanks a bunch
Thanks for a very informative walkthrough of Entra ID authentication using OpenAI.
Glad it was helpful!
Nice and informative. Thanks Alex!
Thanks, glad you found it useful!
Is it possible to authenticate by using a service principal from a none Azure client?
When you say "non Azure client" - I assume you mean an app or service hosted on-prem or in another cloud, correct? This scenario should be supported, though I haven't tested it myself. The OpenAIClient in your code does accept both DefaultAzureCredential or ClientSecretCredential as a parameter. DefaultAzureCredentialshould be able to read IDs out of your appsettings file by default, or you could pass them in more directly to the ClientSecretCredential (I think this is the right one offhand but it might be a different credential type in the Azure.Identity library). You'd just have to create an app registration in azure and then provide your ids to to the OpenAIClient. Hope this helps!
Hey Thanks Alex, helped me solve an issue for production. Although I am using Azure Search in conjuction with Azure Open AI and looks like my index did not get created and I am getting an Unauthorized error. Is there any role in production that we need to grant for the search service as well? Thanks
Hey, you'll need to add a role for the search service as well, but I'm not sure off hand which role that is - it's probably something like "search index contributor" or "search index reader" or something - whatever levels of permissions you need.
In the link below you can find some "infrastructure as code" for a sample project that sets up OpenAI service plus Search - the linked area highlights some of the roles they are creating to access different search services and such - one of those roles might help you. This is bicep code but you'd just need to find the name of relevant role you're looking for and then you could assign it through the Portal or CLI like I demonstrated.
github.com/Azure-Samples/azure-search-openai-javascript/blob/main/infra/main.bicep#L434-L510
Thanks lot for your reply. My doubt is in production what role needs to be assigned when using RBAC roles? I saw the above repo already but could not find a solution. This is the error I am getting :
File "/.local/lib/python3.10/site-packages/azure/search/documents/_generated/operations/_documents_operations.py", line 1264, in index
raise HttpResponseError(response=response, model=error)
azure.core.exceptions.HttpResponseError: () Authorization failed.
Code:
Message: Authorization failed.
Hi Alex, I got this error after following entra ID. Unauthorized. Access token is missing, invalid, audience is incorrect (urn:ms.scopedToken or urn:ms.faceSessionToken), or have expired.
Status: 401 (Unauthorized)
Hey, did you get this locally or in Azure? If it's local your credentials might have expired, I would log in and out of whatever tool you're using to provide the credentials
@@alexthecodewolf thanks for responding.