When you say "non Azure client" - I assume you mean an app or service hosted on-prem or in another cloud, correct? This scenario should be supported, though I haven't tested it myself. The OpenAIClient in your code does accept both DefaultAzureCredential or ClientSecretCredential as a parameter. DefaultAzureCredentialshould be able to read IDs out of your appsettings file by default, or you could pass them in more directly to the ClientSecretCredential (I think this is the right one offhand but it might be a different credential type in the Azure.Identity library). You'd just have to create an app registration in azure and then provide your ids to to the OpenAIClient. Hope this helps!
Hey Thanks Alex, helped me solve an issue for production. Although I am using Azure Search in conjuction with Azure Open AI and looks like my index did not get created and I am getting an Unauthorized error. Is there any role in production that we need to grant for the search service as well? Thanks
Hey, you'll need to add a role for the search service as well, but I'm not sure off hand which role that is - it's probably something like "search index contributor" or "search index reader" or something - whatever levels of permissions you need. In the link below you can find some "infrastructure as code" for a sample project that sets up OpenAI service plus Search - the linked area highlights some of the roles they are creating to access different search services and such - one of those roles might help you. This is bicep code but you'd just need to find the name of relevant role you're looking for and then you could assign it through the Portal or CLI like I demonstrated. github.com/Azure-Samples/azure-search-openai-javascript/blob/main/infra/main.bicep#L434-L510
Thanks lot for your reply. My doubt is in production what role needs to be assigned when using RBAC roles? I saw the above repo already but could not find a solution. This is the error I am getting : File "/.local/lib/python3.10/site-packages/azure/search/documents/_generated/operations/_documents_operations.py", line 1264, in index raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Authorization failed. Code: Message: Authorization failed.
Hi Alex, I got this error after following entra ID. Unauthorized. Access token is missing, invalid, audience is incorrect (urn:ms.scopedToken or urn:ms.faceSessionToken), or have expired. Status: 401 (Unauthorized)
Hey, did you get this locally or in Azure? If it's local your credentials might have expired, I would log in and out of whatever tool you're using to provide the credentials
Thank you for demonstrating! This information helps a lot!
Been looking everywhere for it.
Thanks a bunch
Thanks for a very informative walkthrough of Entra ID authentication using OpenAI.
Glad it was helpful!
Nice and informative. Thanks Alex!
Thanks, glad you found it useful!
Is it possible to authenticate by using a service principal from a none Azure client?
When you say "non Azure client" - I assume you mean an app or service hosted on-prem or in another cloud, correct? This scenario should be supported, though I haven't tested it myself. The OpenAIClient in your code does accept both DefaultAzureCredential or ClientSecretCredential as a parameter. DefaultAzureCredentialshould be able to read IDs out of your appsettings file by default, or you could pass them in more directly to the ClientSecretCredential (I think this is the right one offhand but it might be a different credential type in the Azure.Identity library). You'd just have to create an app registration in azure and then provide your ids to to the OpenAIClient. Hope this helps!
Hey Thanks Alex, helped me solve an issue for production. Although I am using Azure Search in conjuction with Azure Open AI and looks like my index did not get created and I am getting an Unauthorized error. Is there any role in production that we need to grant for the search service as well? Thanks
Hey, you'll need to add a role for the search service as well, but I'm not sure off hand which role that is - it's probably something like "search index contributor" or "search index reader" or something - whatever levels of permissions you need.
In the link below you can find some "infrastructure as code" for a sample project that sets up OpenAI service plus Search - the linked area highlights some of the roles they are creating to access different search services and such - one of those roles might help you. This is bicep code but you'd just need to find the name of relevant role you're looking for and then you could assign it through the Portal or CLI like I demonstrated.
github.com/Azure-Samples/azure-search-openai-javascript/blob/main/infra/main.bicep#L434-L510
Thanks lot for your reply. My doubt is in production what role needs to be assigned when using RBAC roles? I saw the above repo already but could not find a solution. This is the error I am getting :
File "/.local/lib/python3.10/site-packages/azure/search/documents/_generated/operations/_documents_operations.py", line 1264, in index
raise HttpResponseError(response=response, model=error)
azure.core.exceptions.HttpResponseError: () Authorization failed.
Code:
Message: Authorization failed.
Hi Alex, I got this error after following entra ID. Unauthorized. Access token is missing, invalid, audience is incorrect (urn:ms.scopedToken or urn:ms.faceSessionToken), or have expired.
Status: 401 (Unauthorized)
Hey, did you get this locally or in Azure? If it's local your credentials might have expired, I would log in and out of whatever tool you're using to provide the credentials
@@alexthecodewolf thanks for responding.