search

Azure-Samples / azure-search-openai-demo-csharp

A sample app for the Retrieval-Augmented Generation pattern running in Azure, using Azure Cognitive Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
MIT License
555 stars 346 forks source link

Why is `User Access Administrator` required? #213

Closed mattleibow closed 6 months ago

mattleibow commented 8 months ago

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [x] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

azd up on a subscription where you are just a Contributor

Any log messages given by the failure

Deployment Error Details:
InvalidTemplateDeployment: The template deployment failed with error: 'Authorization failed for template resource 'XXX' of type 'Microsoft.Authorization/roleAssignments'. The client 'XXX' with object id 'XXX' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.ContainerRegistry/registries/XXX/providers/Microsoft.Authorization/roleAssignments/XXX'.'.

Expected/desired behavior

Why is the role needed if I have just created all the resources. This is hard to test and I had to get specific exceptions from more powerful people just to run the demo. Is there a reason the admin permissions are needed?

Since there is a company-wide R&D subscription where I am a Contributor, I feel like I should be able to run the demo without having to ask for more permissions.

luisquintanilla commented 8 months ago

@jongio do you have any insights here. Is it because azd needs to create resources at the subscription level?

jongio commented 8 months ago

The most secure way to connect to services is by using Role Based Access Control (RBAC). Where your account or a services "service principal" is given permission to access a service.

In order to connect your account and the services to access other services you need to create "role assignments".

i.e. For your account to access storage, you need the "storage access" role. For key vault, you need key vault read access, etc.

In order to create the role assignment, the user deploying the template needs "User Access Administrator" or "Owner" roles.

The "Contributor" role isn't enough to create those role assignments.

The best we can do right now, is tell you what roles are required, which can be found here: https://github.com/Azure-Samples/azure-search-openai-demo-csharp/blob/main/infra/main.bicep#L423

We are working on ways to make this easier for folks that can't get the User Access Admin or Owner roles.

luisquintanilla commented 6 months ago

Thanks for the response. Marking this issue as closed.