search

Azure-Samples / azure-search-openai-demo

A sample app for the Retrieval-Augmented Generation pattern running in Azure, using Azure AI Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
https://azure.microsoft.com/products/search
MIT License
6.38k stars 4.26k forks source link

Unable to override search endpoint used for authentication (Azure Government) #2055

Open nitroxeno opened 1 month ago

nitroxeno commented 1 month ago

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Attempting to deploy to Azure Government. I manually updated all references to .com Azure endpoints to .us endpoints. Successfully published application and able to access the app-backend UI. However, when attempting to send a prompt, it responds with the error <class 'azure.core.exceptions.ClientAuthenticationError'>. After further reviewing the app insights, I can see the failure is on the DocumentsOperations.search_post when doing a GET /msi/token. The endpoint being referenced in the path is "http://169.254.129.10:8081/msi/token?api-version=2019-08-01&resource=https://search.azure.com". I can't seem to find how to override this behavior and change the resource to search.azure.us?

Any log messages given by the failure

Traceback (most recent call last): File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/opentelemetry/trace/init.py", line 583, in use_span yield span File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/tracing/decorator_async.py", line 105, in wrapper_use_tracer return await func(*args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/search/documents/_generated/aio/operations/_documents_operations.py", line 408, in search_post pipeline_response: PipelineResponse = await self._client._pipeline.run( # pylint: disable=protected-access ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 219, in run return await first_node.send(pipeline_request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send response = await self.next.send(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send response = await self.next.send(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send response = await self.next.send(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Previous line repeated 2 more times] File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_redirect_async.py", line 73, in send response = await self.next.send(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_retry_async.py", line 180, in send response = await self.next.send(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_authentication_async.py", line 98, in send await await_result(self.on_request, request) File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_tools_async.py", line 56, in await_result return await result ^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_authentication_async.py", line 70, in on_request self._token = await await_result(self._credential.get_token, self._scopes) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_tools_async.py", line 56, in await_result return await result ^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/decorators.py", line 21, in wrapper token = await fn(args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_credentials/managed_identity.py", line 141, in get_token return await self._credential.get_token(*scopes, claims=claims, tenant_id=tenant_id, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 49, in get_token return await super().get_token(*scopes, claims=claims, tenant_id=tenant_id, *kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/get_token_mixin.py", line 93, in get_token token = await self._request_token( ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 57, in _request_token return await cast(AsyncManagedIdentityClient, self._client).request_token(scopes, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_client.py", line 35, in request_token token = self._process_response(response, request_time) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/_internal/managed_identity_client.py", line 63, in _process_response raise ClientAuthenticationError( azure.core.exceptions.ClientAuthenticationError: (None) An unexpected error occured while fetching the AAD Token. Code: None Message: An unexpected error occured while fetching the AAD Token.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 169.254.129.10:8081 GET /msi/token Error: 500 Path: http://169.254.129.10:8081/msi/token?api-version=2019-08-01&resource=https://search.azure.com ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Expected/desired behavior

Should be able to replace all Azure Commercial hard coded endpoints with Azure Government endpoints.

OS and Version?

Windows 11 23H2

azd version?

azd version 1.10.2 (commit 84ea22048b9a1c167bc4ae2095cc7f91798ef11e)

Versions

Mention any other details that might be useful

I can see the openai.chat GET /msi/token is calling path "http://169.254.129.10:8081/msi/token?api-version=2019-08-01&resource=https://cognitiveservices.azure.us" so manually updating that endpoint seems to be sticking, just not the search endpoint. I realize there is likely not a lot of users attempting to deploy to Gov, but just wanted to check to see if anyone had any other ideas or places to look? TIA!

pamelafox commented 1 month ago

Did you look at the discussion here? https://github.com/Azure-Samples/azure-search-openai-demo/issues/1475 That dev mentions setting the audience, did you try that?