search

Azure-Samples / azure-search-openai-demo

A sample app for the Retrieval-Augmented Generation pattern running in Azure, using Azure AI Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
https://azure.microsoft.com/products/search
MIT License
6.37k stars 4.25k forks source link

No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId #2148

Open amirj opened 1 week ago

amirj commented 1 week ago

My app is running perfectly locally and communicate with Azure resources but the deployed app is having the following exception once generating the answer:

2024-11-12T16:31:05.845514845Z 2024-11-12 16:31:05,845 - INFO - Setting up Azure credential using ManagedIdentityCredential
2024-11-12T16:31:05.846747156Z 2024-11-12 16:31:05,846 - INFO - Setting up Azure credential using ManagedIdentityCredential with client_id xxxxxx
...
2024-11-12T16:43:01.948261341Z 2024-11-12 16:43:01,947 - WARNING - AppServiceCredential.get_token failed: (None) No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.948297042Z Code: None
2024-11-12T16:43:01.948302642Z Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.948307342Z 2024-11-12 16:43:01,948 - WARNING - ManagedIdentityCredential.get_token failed: (None) No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.948311942Z Code: None
2024-11-12T16:43:01.948333642Z Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.951917774Z 2024-11-12 16:43:01,948 - ERROR - Exception while generating response stream: (None) No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.951970374Z Code: None
2024-11-12T16:43:01.951977974Z Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.951982974Z Traceback (most recent call last):
2024-11-12T16:43:01.951986875Z   File "/tmp/8dd030b56bad4dd/app.py", line 200, in format_as_ndjson
2024-11-12T16:43:01.951991075Z     async for event in r:
2024-11-12T16:43:01.951994675Z   File "/tmp/8dd030b56bad4dd/approaches/chatapproach.py", line 113, in run_with_streaming
2024-11-12T16:43:01.951998975Z     extra_info, chat_coroutine = await self.run_until_final_call(
2024-11-12T16:43:01.952002975Z                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952006975Z   File "/tmp/8dd030b56bad4dd/approaches/chatreadretrieveread.py", line 159, in run_until_final_call
2024-11-12T16:43:01.952011275Z     results = await self.search(
2024-11-12T16:43:01.952015475Z               ^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952019975Z   File "/tmp/8dd030b56bad4dd/approaches/approach.py", line 175, in search
2024-11-12T16:43:01.952023975Z     async for page in results.by_page():
2024-11-12T16:43:01.952027775Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/async_paging.py", line 94, in __anext__
2024-11-12T16:43:01.952032375Z     self._response = await self._get_next(self.continuation_token)
2024-11-12T16:43:01.952191776Z                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952205476Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/search/documents/aio/_paging.py", line 109, in _get_next_cb
2024-11-12T16:43:01.952211477Z     return await self._client.documents.search_post(search_request=self._initial_query.request, **self._kwargs)
2024-11-12T16:43:01.952216777Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952221277Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/tracing/decorator_async.py", line 105, in wrapper_use_tracer
2024-11-12T16:43:01.952234477Z     return await func(*args, **kwargs)
2024-11-12T16:43:01.952239077Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952242977Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/search/documents/_generated/aio/operations/_documents_operations.py", line 400, in search_post
2024-11-12T16:43:01.952246777Z     pipeline_response: PipelineResponse = await self._client._pipeline.run(  # pylint: disable=protected-access
2024-11-12T16:43:01.952252277Z                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952264477Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 219, in run
2024-11-12T16:43:01.952268877Z     return await first_node.send(pipeline_request)
2024-11-12T16:43:01.952272877Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952277177Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send
2024-11-12T16:43:01.952281077Z     response = await self.next.send(request)
2024-11-12T16:43:01.952284677Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952288277Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send
2024-11-12T16:43:01.952292477Z     response = await self.next.send(request)
2024-11-12T16:43:01.952297077Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952302077Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send
2024-11-12T16:43:01.952306177Z     response = await self.next.send(request)
2024-11-12T16:43:01.952309877Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952313577Z   [Previous line repeated 2 more times]
2024-11-12T16:43:01.952317977Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_redirect_async.py", line 73, in send
2024-11-12T16:43:01.952322078Z     response = await self.next.send(request)
2024-11-12T16:43:01.952325678Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952329378Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_retry_async.py", line 180, in send
2024-11-12T16:43:01.952333178Z     response = await self.next.send(request)
2024-11-12T16:43:01.952336878Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952340978Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_authentication_async.py", line 98, in send
2024-11-12T16:43:01.952345078Z     await await_result(self.on_request, request)
2024-11-12T16:43:01.952348978Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_tools_async.py", line 56, in await_result
2024-11-12T16:43:01.952353578Z     return await result
2024-11-12T16:43:01.952357478Z            ^^^^^^^^^^^^
2024-11-12T16:43:01.952361178Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_authentication_async.py", line 70, in on_request
2024-11-12T16:43:01.952365278Z     self._token = await await_result(self._credential.get_token, *self._scopes)
2024-11-12T16:43:01.952370178Z                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952374678Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/core/pipeline/_tools_async.py", line 56, in await_result
2024-11-12T16:43:01.952386578Z     return await result
2024-11-12T16:43:01.952391178Z            ^^^^^^^^^^^^
2024-11-12T16:43:01.952395478Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/decorators.py", line 21, in wrapper
2024-11-12T16:43:01.952401178Z     token = await fn(*args, **kwargs)
2024-11-12T16:43:01.952406478Z             ^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952411478Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_credentials/managed_identity.py", line 141, in get_token
2024-11-12T16:43:01.952417178Z     return await self._credential.get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
2024-11-12T16:43:01.952422478Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952427978Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 49, in get_token
2024-11-12T16:43:01.952433579Z     return await super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
2024-11-12T16:43:01.952438879Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952444179Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/get_token_mixin.py", line 93, in get_token
2024-11-12T16:43:01.952449879Z     token = await self._request_token(
2024-11-12T16:43:01.952455179Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952460479Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 57, in _request_token
2024-11-12T16:43:01.952464979Z     return await cast(AsyncManagedIdentityClient, self._client).request_token(*scopes, **kwargs)
2024-11-12T16:43:01.952468979Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952472679Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_client.py", line 35, in request_token
2024-11-12T16:43:01.952476479Z     token = self._process_response(response, request_time)
2024-11-12T16:43:01.952480079Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-12T16:43:01.952484579Z   File "/tmp/8dd030b56bad4dd/antenv/lib/python3.11/site-packages/azure/identity/_internal/managed_identity_client.py", line 63, in _process_response
2024-11-12T16:43:01.952488679Z     raise ClientAuthenticationError(
2024-11-12T16:43:01.952492279Z azure.core.exceptions.ClientAuthenticationError: (None) No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.
2024-11-12T16:43:01.952496679Z Code: None
2024-11-12T16:43:01.952501879Z Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.

I'm sure that the provided AZURE_CLIENT_ID has access to my search service with role AI Search Contributor and Search Index Data Contributor.

Looking at the app code it seems that it's only using AZURE_CLIENT_ID without any secret? How's it working?

azure_credential = ManagedIdentityCredential(client_id=AZURE_CLIENT_ID)

Could you help me to understood how's the above ManagedIdentityCredential is working please?

pamelafox commented 1 week ago

The app uses Managed identity with user-assigned identity for the Azure Container App, and infra/main.bicep sets all the roles so that the Container App has all the access needed for the services. No secret is needed when using managed identity on an Azure host like App Service or Container Apps. If you deploy with "azd up", all of the roles and identities should have been set up for you. If you did not, you'll need to check the Bicep and ensure that you have the same identities and role setup.