How to Configure Azure OpenAI with Managed Identities

More complex security scenarios require Azure role-based access control (Azure RBAC). This document covers how to authenticate to your OpenAI resource using Azure Active Directory (Azure AD).

In the following sections, you'll use the Azure CLI to assign roles, and obtain a bearer token to call the OpenAI resource. If you get stuck, links are provided in each section with all available options for each command in Azure Cloud Shell/Azure CLI.

Prerequisites

  • An Azure subscription - Create one for free

  • Access granted to the Azure OpenAI service in the desired Azure subscription

    Currently, access to this service is granted only by application. You can apply for access to the Azure OpenAI service by completing the form at https://aka.ms/oai/access. Open an issue on this repo to contact us if you have an issue.

  • Azure CLI - Installation Guide

  • The following Python libraries: os, requests, json

Sign into the Azure CLI

To sign-in to the Azure CLI, run the following command and complete the sign-in. You may need to do it again if your session has been idle for too long.

az login

Assign yourself to the Cognitive Services User role

Assigning yourself to the Cognitive Services User role will allow you to use your account for access to the specific cognitive services resource

  1. Get your user information

    export user=$(az account show | jq -r .user.name)
    
  2. Assign yourself to “Cognitive Services User” role.

    export resourceId=$(az group show -g $myResourceGroupName | jq -r .id)
    az role assignment create --role "Cognitive Services User" --assignee $user --scope $resourceId
    

    Note

    Role assignment change will take ~5 mins to become effective. Therefore, I did this step ahead of time. Skip this if you have already done this previously.

  3. Acquire an Azure AD access token. Access tokens expire in one hour. you'll then need to acquire another one.

    export accessToken=$(az account get-access-token --resource https://cognitiveservices.azure.com | jq -r .accessToken)
    
  4. Make an API call Use the access token to authorize your API call by setting the Authorization header value.

    curl ${endpoint%/}/openai/deployment/YOUR_DEPLOYMENT_NAME/completions?api-version=2022-12-01 \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $accessToken" \
    -d '{ "prompt": "Once upon a time" }'
    

Authorize access to managed identities

OpenAI supports Azure Active Directory (Azure AD) authentication with managed identities for Azure resources. Managed identities for Azure resources can authorize access to Cognitive Services resources using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.

Enable managed identities on a VM

Before you can use managed identities for Azure resources to authorize access to Cognitive Services resources from your VM, you must enable managed identities for Azure resources on the VM. To learn how to enable managed identities for Azure Resources, see:

For more information about managed identities, see Managed identities for Azure resources.