Error code: 401 - {'error': {'code': 'PermissionDenied', 'message': 'Principal does not have access to API/Operation.'}}

tahsinalamin commented 3 months ago

Please provide us with the following information:

This issue is for a: (mark with an `x`)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [x ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Update a previous version of the webapp with new code deployed via VS Code. Local deployment works perfectly.

Any log messages given by the failure

2024-07-29T16:41:07.903585431Z ERROR:root:Error code: 401 - {'error': {'code': 'PermissionDenied', 'message': 'Principal does not have access to API/Operation.'}} 2024-07-29T16:41:07.903619832Z Traceback (most recent call last): 2024-07-29T16:41:07.903625032Z File "/tmp/8dcacc2ffe1ab39/app.py", line 358, in conversation_internal 2024-07-29T16:41:07.903628532Z result = await stream_chat_request(request_body, request_headers) 2024-07-29T16:41:07.903631632Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-29T16:41:07.903634832Z File "/tmp/8dcacc2ffe1ab39/app.py", line 345, in stream_chat_request 2024-07-29T16:41:07.903638632Z response, apim_request_id = await send_chat_request(request_body, request_headers) 2024-07-29T16:41:07.903641932Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-29T16:41:07.903644932Z File "/tmp/8dcacc2ffe1ab39/app.py", line 323, in send_chat_request 2024-07-29T16:41:07.903648232Z raise e 2024-07-29T16:41:07.903651632Z File "/tmp/8dcacc2ffe1ab39/app.py", line 318, in send_chat_request 2024-07-29T16:41:07.903663132Z raw_response = await azure_openai_client.chat.completions.with_raw_response.create(*model_args) 2024-07-29T16:41:07.903666632Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-29T16:41:07.903669832Z File "/tmp/8dcacc2ffe1ab39/antenv/lib/python3.11/site-packages/openai/_response.py", line 262, in wrapped 2024-07-29T16:41:07.903673132Z return cast(APIResponse[R], await func(args, **kwargs)) 2024-07-29T16:41:07.903676432Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-29T16:41:07.903679632Z File "/tmp/8dcacc2ffe1ab39/antenv/lib/python3.11/site-packages/openai/resources/chat/completions.py", line 1295, in create 2024-07-29T16:41:07.903683332Z return await self._post( 2024-07-29T16:41:07.903686432Z ^^^^^^^^^^^^^^^^^ 2024-07-29T16:41:07.903689632Z File "/tmp/8dcacc2ffe1ab39/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post 2024-07-29T16:41:07.903692832Z return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls) 2024-07-29T16:41:07.903706933Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-29T16:41:07.903710433Z File "/tmp/8dcacc2ffe1ab39/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request 2024-07-29T16:41:07.903713533Z return await self._request( 2024-07-29T16:41:07.903716533Z ^^^^^^^^^^^^^^^^^^^^ 2024-07-29T16:41:07.903719533Z File "/tmp/8dcacc2ffe1ab39/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request 2024-07-29T16:41:07.903722633Z raise self._make_status_error_from_response(err.response) from None 2024-07-29T16:41:07.903727133Z openai.AuthenticationError: Error code: 401 - {'error': {'code': 'PermissionDenied', 'message': 'Principal does not have access to API/Operation.'}}

Expected/desired behavior

It should display reply to my query.

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?) Linux

azd version?

run azd version and copy paste here.

Versions

azd version 1.2.0 (commit 99ea7577f0df0df2ba34b677da189fafba18c0f7)

Mention any other details that might be useful

I deployed the WebApp in October last year. It was working perfectly. I updated the code from the latest git repo and deployed the app from the commands given in the git repo. Now it is showing the error. However, when I do a local deployment, it works as expected.

Thanks! We'll be in touch soon.

pamelafox commented 3 months ago

Can you check to make sure that those two values are blank, in your App Service environment variables?

AZURE_OPENAI_API_KEY

OPENAI_API_KEY

I've seen an issue where developers have those set in their global environment, and we're accidentally picking up the global values when we do a deploy.

tahsinalamin commented 3 months ago

@pamelafox AZURE_OPENAI_API_KEY was empty. I copied the actual key and now its working!

Was it supposed to be empty?

dovstern commented 3 months ago

I had the same issue, where AZURE_OPENAI_API_KEY was empty. Filling it in the Environment Variables for the App Service resource in the Azure Portal fixed it

dovstern commented 3 months ago

BUT every time that I re-deploy the app or deploy a new app, the AZURE_OPENAI_API_KEY gets wiped out blank and the issue returns, requiring this manual step. @pamelafox is there a fix for that?

bjornarfjelldal commented 2 months ago

I experience the same, but in my case AZURE_OPENAI_API_KEY and OPENAI_API_KEY isn't even set. Only AZURE_OPENAI_KEY is there, and I need to create the others after every deployment.

tahsinalamin commented 2 months ago

From my talk with Azure support, the env variables from .env file do not get updated, the existing variables in the Azure portal gets priority. So, it makes sense to set the environment variables each time after redeploying. Hope they make the update.

brunoobata commented 1 month ago

To resolve this problem, I create in App Service -> Environment Variables: AZURE_OPENAI_API_KEY and put the KEY 1 from OpenAI Resource. This worked for me.

pamelafox commented 1 month ago

This project uses managed identity by default, which means that no keys are required. The roles are set in the infrastructure (in infra/main.bicep) so that the App Service app can access the OpenAI resource. If you run "azd up", it should take care of all of that for you.

Azure-Samples / azure-search-openai-demo