Share via

AuthenticationError (401) only in Kubernetes deployment, works locally

Adriano Neto 20 Reputation points
2025-09-25T09:59:39.4566667+00:00

I am encountering a 401 AuthenticationError when calling the Azure OpenAI Python client from a container running in my Kubernetes cluster. The exact same code and environment variables work without issue on my local machine.

Environment & Setup

Python: 3.12

  • openai Python package: 1.108.2

Azure OpenAI API version: 2025-04-01-preview

  • Deployment: Kubernetes (k8s)
  • Variables set as K8s secrets:
    • AZURE_OPENAI_API_KEY (verified correct)
    • AZURE_OPENAI_ENDPOINT(verified correct)

Minimal Reproducible Example

import os
from openai import AzureOpenAI
client = AzureOpenAI(
    api_key=os.getenv("AZURE_OPENAI_API_KEY"),
    api_version="2025-04-01-preview",
    azure_endpoint=os.getenv("AZURE_OPENAI_ENDPOINT")
)

client.responses.create(
    model="gpt-4o",
    input="Tell me a short story!"
)

Observed Error (only in Kubernetes)

openai.AuthenticationError: Error code: 401 - {'error': {'code': '401',
'message': 'Access denied due to invalid subscription key or wrong API endpoint.
Make sure to provide a valid key for an active subscription and use a correct regional API endpoint for your resource.'}}

What I already checked

Key and endpoint values match the Azure portal (copy-pasted and re-verified).

The same image + code run successfully on my local machine (e.g., docker run locally).

  • K8s secret is mounted and visible inside the pod (env | grep AZURE_OPENAI_API_KEYshows correct value).

Question / Request What additional Azure configuration, environment variable, or network requirement might differ between local and Kubernetes deployments and cause this 401? Is there any diagnostic command or logging I can enable to verify that the correct subscription and region are being used at runtime?

Thank you for your help.

Azure OpenAI in Foundry Models

Answer accepted by question author

Azar 31,720 Reputation points MVP Volunteer Moderator
2025-09-25T11:21:45.0466667+00:00

Hi there Adriano Neto

Thanks for using QandA platform

If it’s working locally but not in Kubernetes, the issue is almost always with how the API key or endpoint is passed at runtime. Even if env | grep shows the key, double-check for hidden characters (like trailing spaces or newline) — they often sneak in when mounting secrets. Also make sure the endpoint URL ends with /openai/deployments/... if required, and matches the region exactly. Another common cause is network egress — your cluster might be behind a firewall or private network blocking calls to the Azure endpoint. You can exec into the pod and try a curl -I $AZURE_OPENAI_ENDPOINT to confirm connectivity.

Finally, check if the pod’s identity or outbound IP is restricted in Azure; if the key is valid but the request originates from an unauthorized network, you’ll still see a 401.

If this helps kindly accept the answer thanks much.

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.