Share via

I cannot use the Azure ML API (Serverless Endpoint)

Jason 0 Reputation points
2025-03-14T10:13:11.39+00:00

When I hoped to build a client like the following image, (I was using a build serverless Azure ML API, and the url and the key was right), I found a bug reported like HttpResponseError: Operation returned an invalid status 'Forbidden' Content: RBAC: access denied Please check this guide to understand why this error code might have been returned

I do not know why it occurs, I have already login in my Mac Device with the az login command.

CleanShot 2025-03-14 at 18.10.51@2x

Azure Machine Learning

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manas Mohanty 16,855 Reputation points Microsoft External Staff Moderator
    2025-04-09T15:47:12.93+00:00

    Hi Jason

    We regret the delay in response due to invalid tagging of this issue.

    Ideally, we should not get RBAC issue if you have Azure AI Developer and owner/contributor role assigned on the AI foundry hub.

    Reference on default roles in Foundry hub.

    If you have above permission and it is failing with key-based authentication. We should from activity logs of resource if any organization policy is blocking to use key-based authentication and create exemption on that policy.

    Feel free to check below code to use Entra id credentials if key based authentication fails.

    import os
from typing import cast
from azure.ai.projects import AIProjectClient
from azure.ai.projects.models import ConnectionType, AuthenticationType
from azure.identity import DefaultAzureCredential
project_connection_string = os.environ["PROJECT_CONNECTION_STRING"]
connection_name = os.environ["CONNECTION_NAME"]
model_deployment_name = os.environ["MODEL_DEPLOYMENT_NAME"]
project_client = AIProjectClient.from_connection_string(
    credential=DefaultAzureCredential(),
    conn_str=project_connection_string,
)
with project_client:
    # Get the properties of a connection by its connection name:
    connection = project_client.connections.get(connection_name=connection_name, include_credentials=True)
    print("====> Get connection by name (credentials printout redacted)):")
    print(connection)
# Examples of how you would create an inference client
if connection.connection_type == ConnectionType.AZURE_OPEN_AI:
    from openai import AzureOpenAI
    if connection.authentication_type == AuthenticationType.API_KEY:
        print("====> Creating AzureOpenAI client using API key authentication")
        aoai_client = AzureOpenAI(
            api_key=connection.key,
            azure_endpoint=connection.endpoint_url,
            api_version="2024-06-01",  # See "Data plane - inference" row in table https://learn.microsoft.com/azure/ai-services/openai/reference#api-specs
        )
    elif connection.authentication_type == AuthenticationType.ENTRA_ID:
        print("====> Creating AzureOpenAI client using Entra ID authentication")
        from azure.core.credentials import TokenCredential
        from azure.identity import get_bearer_token_provider
        aoai_client = AzureOpenAI(
            # See https://learn.microsoft.com/python/api/azure-identity/azure.identity?view=azure-python#azure-identity-get-bearer-token-provider
            azure_ad_token_provider=get_bearer_token_provider(
                cast(TokenCredential, connection.token_credential), "https://cognitiveservices.azure.com/.default"
            ),
            azure_endpoint=connection.endpoint_url,
            api_version="2024-06-01",  # See "Data plane - inference" row in table https://learn.microsoft.com/azure/ai-services/openai/reference#api-specs
        )
    else:
        raise ValueError(f"Authentication type {connection.authentication_type} not supported.")
    aoai_response = aoai_client.chat.completions.create(
        model=model_deployment_name,
        messages=[
            {
                "role": "user",
                "content": "How many feet are in a mile?",
            },
        ],
    )
    aoai_client.close()
    print(aoai_response.choices[0].message.content)
elif connection.connection_type == ConnectionType.AZURE_AI_SERVICES:
    from azure.ai.inference import ChatCompletionsClient
    from azure.ai.inference.models import UserMessage
    if connection.authentication_type == AuthenticationType.API_KEY:
        print("====> Creating ChatCompletionsClient using API key authentication")
        from azure.core.credentials import AzureKeyCredential
        inference_client = ChatCompletionsClient(
            endpoint=f"{connection.endpoint_url}/models", credential=AzureKeyCredential(connection.key or "")
        )
    elif connection.authentication_type == AuthenticationType.ENTRA_ID:
        from azure.core.credentials import TokenCredential
        print("====> Creating ChatCompletionsClient using Entra ID authentication")
        inference_client = ChatCompletionsClient(
            endpoint=f"{connection.endpoint_url}/models",
            credential=cast(TokenCredential, connection.token_credential),
            credential_scopes=["https://cognitiveservices.azure.com/.default"],
        )
    else:
        raise ValueError(f"Authentication type {connection.authentication_type} not supported.")
    inference_response = inference_client.complete(
        model=model_deployment_name, messages=[UserMessage(content="How many feet are in a mile?")]
    )
    inference_client.close()
    print(inference_response.choices[0].message.content)

    Reference on using Entra Credentials

    Hope it helps address the issue.

    Thank you.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.