Share via

Azure AI Studio - Error binding an index to a chat

COLUSSI Diego M. TENARIS 20 Reputation points
2024-10-15T20:38:19.1133333+00:00

I have issues with an Azure OpenAI Hub:

RESOURCES AND CONFIGS The resources I have are the following:

Hub Resources:

  • ias-dev-hub01
  • ias-dev-hub01-proj01
  • iasdevhub01config (Hub configuration storage account)

RAG Resources:

  • ias-dev-openai01 (OpenAI service) with GPT 4o-mini deployed.
  • ias-dev-search01 (Azure Search)
  • iasdevstaproyecto01 (Storage with documents to be read by the chat)

CHARASTERISTICS

  • The hub is completely secured with private endpoints
  • And all other components (search, openai, project storage) are also secured with Priv Endpoints. The hub connects to all resources via MS Entra ID instead of using API keys.

The Network configuration is the following:

  • (*) Allow access from: Disabled
  • (No networks can access this resource. Private endpoint connections will be the exclusive way to access this resource. Learn more.)
  • All resources connected to the hub communicate using Entra ID instead of API keys, and they have the corresponding IAM permissions between each resources.

PROBLEM CASE:

  • When I access a project in the hub and enter the chats section, if I bind the GPT 4o-mini model to the project's chat, the chat performs an answer (all of this in a secure environment).
  • However, when I try to bind an index already created in the search to the chat, the chat is not answering with the index info. In fact, I haven't been able to connect the index to the chat. It stays stuck on loading indefinitely. (the search is ias-dev-search01; the index name is oais-index)

User's image

Some of the errors I encounter are as follows: When the AzureAiStudio Hub Web tries to bind the index to the chat, the web component /Resolve brings me an error:

https://4ad0f6d5-14--------.workspace.eastus2.api.azureml.ms/mlindex/v1.0/subscriptions/---------/resourceGroups/rg-iastudio-toolfundamentals-dev/providers/Microsoft.MachineLearningServices/workspaces/ias-dev-hub01-proj01/mlindices/oais-indice/versions/2/resolve

"Failed to resolve MLIndex 'azureml://locations/eastus2/workspaces/----------/data/oais-indice/versions/2'. PermissionDenied(Some(AuthenticationError(\"Unable to get access token for resource named 'iasdevhub01config' (subscription: '-----------1a27af', resource group 'RG-IASTUDIO-TOOLFUNDAMENTALS-DEV').\\n  NetworkIsolationViolatedException was caused by DataAccessNetworkIsolationViolatedException.\\n    Cannot authenticate data access to with Workspace system assigned identity. Make sure that the firewall settings of Resouce \\\"[REDACT: DataServiceResourceId]\\\"\\u{a0}allows access from the current virtual network.\\n\")))"

RESULT: 

{
  "error": {
    "code": "ScriptExecution.StreamAccess.Authentication",
    "severity": null,
    "message": "Failed to resolve MLIndex 'azureml://locations/eastus2/workspaces/----------/data/oais-indice/versions/2'. PermissionDenied(Some(AuthenticationError(\"Unable to get access token for resource named 'iasdevhub01config' (subscription: '-----------1a27af', resource group 'RG-IASTUDIO-TOOLFUNDAMENTALS-DEV').\\n  NetworkIsolationViolatedException was caused by DataAccessNetworkIsolationViolatedException.\\n    Cannot authenticate data access to with Workspace system assigned identity. Make sure that the firewall settings of Resouce \\\"[REDACT: DataServiceResourceId]\\\"\\u{a0}allows access from the current virtual network.\\n\")))",
    "messageFormat": null,
    "messageParameters": null,
    "referenceCode": null,
    "detailsUri": null,
    "target": null,
    "details": [],
    "innerError": null,
    "debugInfo": null,
    "additionalInfo": null
  },
  "correlation": {
    "operation": "--------,
    "request": "--------------"
  },
  "environment": "eastus2",
  "location": "eastus2",
  "time": "2024-10-15T19:14:36.7515857+00:00",
  "componentName": "dataset",
  "statusCode": 400
}

SOME INFORMATION

  • The index is OK loaded into Azure AIStudio and ML Studio. User's image
  • But When I try to query the index in Azure ML Studio, I also get this error:
  • The error is occurring when trying to access the iasdevhub01config resource (the hub's configuration storage).
  • I’m not fully understanding which permission Azure ML Studio might need to successfully connect to iasdevhub01config.
  • I need some help to clarify this scenario. User's image
Azure AI Search
Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
1,345 questions
Azure OpenAI Service
Azure OpenAI Service
An Azure service that provides access to OpenAI’s GPT-3 models with enterprise capabilities.
4,085 questions
Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
3,604 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AshokPeddakotla-MSFT 35,971 Reputation points Moderator
    2024-10-16T03:26:55.5133333+00:00

    COLUSSI Diego M. TENARIS Greetings & Welcome to Microsoft Q&A forum!

    "message": "Failed to resolve MLIndex 'azureml://locations/eastus2/workspaces/----------/data/oais-indice/versions/2'. PermissionDenied(Some(AuthenticationError("Unable to get access token for resource named 'iasdevhub01config' (subscription: '-----------1a27af', resource group 'RG-IASTUDIO-TOOLFUNDAMENTALS-DEV').\n NetworkIsolationViolatedException was caused by DataAccessNetworkIsolationViolatedException.\n Cannot authenticate data access to with Workspace system assigned identity. Make sure that the firewall settings of Resouce \"[REDACT: DataServiceResourceId]\"\u{a0}allows access from the current virtual network.\n")))",

    As per the error, it looks like there is an issue with authentication and access to the iasdevhub01config resource, which is the hub's configuration storage.

    If your data storage account is located in a virtual network, additional configuration steps are required to ensure that the studio can access your data. Visit Network isolation & privacy for more information about the appropriate configuration steps.

    Also, there are some limitations.

    When the storage account is in the virtual network, there are extra validation requirements to use studio:

    • If the storage account uses a service endpoint, the workspace private endpoint and storage service endpoint must be in the same subnet of the virtual network.
    • If the storage account uses a private endpoint, the workspace private endpoint and storage private endpoint must be in the same virtual network. In this case, they can be in different subnets.

    I’m not fully understanding which permission Azure ML Studio might need to successfully connect to iasdevhub01config.

    Did you assign Storage Blob Data reader role for the Azure storage account?

    See Connect to data with the Azure Machine Learning studio for more details.

    Also, check Troubleshoot data access errors and let me know if that helps.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.