I’m working with Azure OpenAI service, and want to test its Managed Identity support.
According to the docs it supports Managed Identity authentication, for example – using a VM.
So I did the following:
- Created a VM in Azure
- Assigned it a managed identity
- Assigned this identity a "Cognitive Services User" role (as per the docs) on the OpenAI resource
- Downloaded Postman to the VM
- Tried to access OpenAI API without the API Key (that’s the whole point, isn’t it?)
But I keep getting a 401 error.
What am I missing? With other services, VM with authenticated Managed Identity can access the service (ie. Storage Account, KeyVault). Why isn’t it working here?
Thanks!
2
Answers
In order to access Azure Open AI service, you still need an authentication header.
The difference that has a managed identity configured is instead of using api key, you can also use an access token to access the service.
You can take https://github.com/openai/openai-python#microsoft-azure-active-directory-authentication as a reference about how to get the access token with managed identity.
(I am a Microsoft employee working in the Azure SDK team.)
Tried to access OpenAI API without the API Key (that's the whole point, isn't it?)Not quite true.
Managed identity means you generate a JWT token within (and only within) the resource (in your case VM) linked to your destination (AoAI). You are going passwordless using managed identity (without app-id/secret or static key)
Note that if you log this token (which is mostly valid for 24 hours in majority of the resources) and try to access the api from your local, it would still work – so you need to restrict the firewall settings to azure-network in your AoAI.