Process for Python App Authentication to Azure OpenAI Service without Client Secrets (Avoiding AZURE_CLIENT_SECRET)

Question

Process for Python App Authentication to Azure OpenAI Service without Client Secrets (Avoiding AZURE_CLIENT_SECRET)

Nabil Kemerchou 0

Hello Microsoft Community,

I am developing a Python application that needs to authenticate with the Azure OpenAI Service to make API calls (for chat completions or embeddings).

Currently, the common approach I've seen involves setting up an Azure AD App Registration and using the following environment variables for authentication, likely via the azure-identity library:

AZURE_TENANT_ID

AZURE_CLIENT_ID

AZURE_CLIENT_SECRET

My concern is with the AZURE_CLIENT_SECRET. These secrets have an expiration date, requiring manual rotation. This process is less Secure

My Goal:

I want to implement a robust and secure authentication method for my Python application to connect to Azure OpenAI Service that avoids the need to manage and rotate client secrets (AZURE_CLIENT_SECRET).

My Questions:

What are the recommended, production-ready alternatives to using client secrets for authenticating a Python application to Azure OpenAI?
Managed Identity: If my application runs on a supported Azure service (like App Service, VMs, AKS), how can I configure and use a System-Assigned or User-Assigned Managed Identity for authentication? What specific Python azure-identity credential types should be used, and how does the openai library integrate with this?
Client Certificates: Is using client certificates instead of secrets a viable and recommended alternative? What are the pros and cons regarding management and rotation compared to secrets?

Are there specific code examples or best practices within the Python azure-identity and openai SDKs for implementing these secretless authentication flows?

I appreciate any guidance, best practices, or code examples the community can provide to help implement a secure, secretless authentication flow.

Thank you!

Saideep Anchuri 6,965 Points de réputation Personnel externe Microsoft Moderator

2025-04-23T17:44:27.64+00:00
Hi Nabil Kemerchou

To authenticate your Python application with the Azure OpenAI Service without using client secrets,

Managed Identity: This is a recommended approach for applications running on supported Azure services like App Service, Virtual Machines (VMs), or Azure Kubernetes Service (AKS). Managed identities eliminate the need for client secrets by providing an automatically managed identity for your application. You can use either a System-Assigned or User-Assigned Managed Identity.

System-Assigned Managed Identity: This is created and assigned to an Azure service instance. It automatically handles the identity lifecycle.

User-Assigned Managed Identity: This is created as a standalone Azure resource and can be assigned to one or more Azure service instances.

For authentication in your Python application, you can use the ManagedIdentityCredential class from the azure-identity library. Here's a basic example of how to configure it:
from azure.identity import ManagedIdentityCredential from openai import OpenAI # Create a managed identity credential credential = ManagedIdentityCredential() # Use the credential to authenticate with Azure OpenAI openai_client = OpenAI(credential=credential)

Client Certificates: Using client certificates is another alternative to client secrets. This method involves generating a certificate and using it for authentication. The pros of using client certificates include enhanced security and the ability to manage them through Azure Key Vault. However, the cons include the complexity of managing certificates, including renewal and deployment.

Best Practices: When implementing secretless authentication flows, consider using the DefaultAzureCredential class from the azure-identity library, which automatically selects the best authentication method based on the environment. This simplifies the authentication process and allows your application to run seamlessly across different environments. Here’s an example of using DefaultAzureCredential:
from azure.identity import DefaultAzureCredential from openai import OpenAI # Use DefaultAzureCredential for authentication credential = DefaultAzureCredential() # Initialize OpenAI client openai_client = OpenAI(credential=credential)
Kindly refer below link: authentication

Thank You.
Prashanth Veeragoni 4,435 Points de réputation Personnel externe Microsoft Moderator

2025-04-24T18:34:18.54+00:00

Hi Nabil Kemerchou,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Thank you!

Nabil Kemerchou 0

Hi @prashanth veeragoni !

My code uses AzureOpenAI and AzureOpenAIEmbedding, will the proposed solution above still work in this case ?

Thank you!

    global llm
    llm = AzureChatOpenAI(
        model=model_config.azure_model,
        deployment_name=model_config.azure_model,
        api_key=model_config.azure_api_key,
        azure_endpoint=model_config.azure_endpoint,
        api_version=model_config.azure_api_version,
        temperature=0.0
    )

    global embeddings
    embeddings = AzureOpenAIEmbeddings(
        azure_endpoint=model_config.azure_endpoint,
        azure_deployment=model_config.azure_embedding_model,
        openai_api_version=model_config.azure_api_version,
        api_key=model_config.azure_api_key,
    )

Votre réponse

Prashanth Veeragoni 4,435 Points de réputation Personnel externe Microsoft Moderator

2025-04-24T18:34:18.54+00:00

Hi Nabil Kemerchou,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Thank you!
Nabil Kemerchou 0 Points de réputation

2025-04-24T19:33:01.19+00:00

Hi @prashanth veeragoni !

My code uses AzureOpenAI and AzureOpenAIEmbedding, will the proposed solution above still work in this case ?

Thank you!

global llm llm = AzureChatOpenAI( model=model_config.azure_model, deployment_name=model_config.azure_model, api_key=model_config.azure_api_key, azure_endpoint=model_config.azure_endpoint, api_version=model_config.azure_api_version, temperature=0.0 ) global embeddings embeddings = AzureOpenAIEmbeddings( azure_endpoint=model_config.azure_endpoint, azure_deployment=model_config.azure_embedding_model, openai_api_version=model_config.azure_api_version, api_key=model_config.azure_api_key, )

Partager via

Process for Python App Authentication to Azure OpenAI Service without Client Secrets (Avoiding AZURE_CLIENT_SECRET)

Votre réponse