Open JimGaleForce opened 1 year ago
I agree, if the above corporate/enterprise scenario with limited rights are addressed in the reference architecture, we can get our poc’s done lot quicker when we do not have these openai instances available under our msdn subscriptions or personal ones.
I've made progress going at it manually, inserting service names and keys where referenced. However, I'm stuck on this one error in preparing the (sample) docs:
Ensuring search index edgegrowthopenaisearchindex exists
Traceback (most recent call last):
File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 208, in
I've done az login. I'm even hardcoded urls in case the environment wasn't reading. I've switched the key from the query key (search service) to the admin key. They do different things, but I'm pretty sure it's the query key being needed. (admin key produces Unsupported credential).
I'd appreciate any hints on what key this supposed to be, or what might cause this. I feel I'm close to getting around the prevented corp deployment. (running locally).
myNewOrExistingResource
Hi Jim, I also meet this issue. did you fix your issue , any suggestion for me . thanks
@JimGaleForce , are you using your own subscription where your user is actually the owner
?
There's an issue in this scenario where the expected access-roles are not created and the prepdocs.py
script is not able to get the index key or push files to storage.
One way to workaround this is to create another User within your Azure Active Directory
with the role User Acess Administrator
. Then login to azd
within this user and tun azd up
.
Let me know if that works for you
You're a life saver, thanks mate
I've made progress going at it manually, inserting service names and keys where referenced. However, I'm stuck on this one error in preparing the (sample) docs: Ensuring search index edgegrowthopenaisearchindex exists Traceback (most recent call last): File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 208, in create_search_index() File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 146, in create_search_index if args.index not in index_client.list_index_names(): File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 132, in next return next(self._page_iterator) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 76, in next self._response = self._get_next(self.continuation_token) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\search\documents\indexes_generated\operations_indexes_operations.py", line 520, in get_next raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Authorization failed.
I've done az login. I'm even hardcoded urls in case the environment wasn't reading. I've switched the key from the query key (search service) to the admin key. They do different things, but I'm pretty sure it's the query key being needed. (admin key produces Unsupported credential).
I'd appreciate any hints on what key this supposed to be, or what might cause this. I feel I'm close to getting around the prevented corp deployment. (running locally).
@JimGaleForce - DM’d you. Would you mind sharing how you deployed it manually?
@chulahlou I had the same issue. I was logging into Azure with an account that had subscription-level role assignment of Owner. The workaround was to create and use a separate account with subscription-level role assignments of Owner and User Access Administrator. I was then able to deploy as normal.
@timmyfrazer - thanks. The issue is the enterprise users don't have permission to elevate roles. They only have Contributor role assignments. They can create resources within an existing resource group so I'm looking for ways to stand up the application manually
@timmyfrazer I can confirm creating a separate account with Owner and User Access Administrator assignments allow the deployment to complete. Thank you!
I fixed it by changing the main.bicep to target an existing resource group.
I fixed it by changing the main.bicep to target an existing resource group.
Thanks @wtyeung . That also failed as they don't have permission to assign roles. In your case, do you have Owner level permission to run the bicep script?
Owner role in the existing resourceGroup is required. you can comment out the whole roles section and wire up manually using keys.
Hey, @chulahlou, have you had any success deploying this on an account with the Contributor role?
@nkong6789 , the action "Microsoft.Resources/deployments/write"
is required. This action is part of the Owner
role.
You can also create a custom-role which includes this action and assign the custom-role to the user before deployment. After deployment you can remove the custom-role.
I got this approach from @gbecerra1982
I fixed it by changing the main.bicep to target an existing resource group.
I get "A resource with the same name cannot be created in location 'eastus'. Please select a new resource name." I thought it would use existing resources which have been set using azd env set command
Also agreed to this point with extra security care on exposed storage accounts and cognitive services. PR to added some level of validations via github or ADO pipelines: https://github.com/Azure-Samples/azure-search-openai-demo/pull/329
+1 this
I am the owner of the resource group, but I'm still getting the above error.
Maybe with inspiration from https://github.com/Azure-Samples/openai-python-enterprise-logging
So some detailed steps in the documentation on adding the special role for a user with only contributor access to the subscription would be good.. This is a great example but a lot of what it does is opaque many of us.
Other chatgpt repo https://github.com/microsoft/azurechatgpt
Can someone explain why we even need role assignments for this repo? I mean, you can typically deploy resources just fine w/o it
@Timmate You can see the roles in the bottom of infra/main.bicep:
There are both user roles assigned and system roles. The user roles are primarily needed so that prepdocs.py can run locally (to process docs, compute embeddings, and upload to search index). The system roles allow the web app itself to use the OpenAI and Cognitive Search APIs, via DefaultAzureCredential and managed identity.
so, in short, we cannot deploy this app with only "Contributor" role, right?
Hi all-
We've clarified on the README that at the minimum, you need the RBAC role, or the RBAC role scoped to an existing resource group: https://github.com/Azure-Samples/azure-search-openai-demo#azure-account-requirements
We're interested to hear if your employers are able to give you that level of access (especially resource group scoped) or if that is still high of a level of access.
I also documented in another issue how to manually assign the roles in the Portal, but I assume that will only work if you have RBAC access for that RG:
https://github.com/Azure-Samples/azure-search-openai-demo/issues/634#issuecomment-1721699823
If you cannot be granted RBAC at the resource group level, then I think the only other approach is to use keys instead of managed identity. That should be possible with changes to the credentials in app.py. We generally discourage keys when possible, however, so we haven't yet enabled that in the repo.
We've clarified on the README that at the minimum, you need the RBAC role, or the RBAC role scoped to an existing resource group: https://github.com/Azure-Samples/azure-search-openai-demo#azure-account-requirements
We're interested to hear if your employers are able to give you that level of access (especially resource group scoped) or if that is still high of a level of access.
I've granted one of our developers the owner role for a resource group, and the Role Based Access Control Adminstrator (Preview) role at the resource group level. He still gets an error. Some have mentioned 'User Access Administrator. I've granted him that role at the resource group and will report back the results.
@bosco777 Can you clarify which error they get? Just want to make sure the error they're getting is the role error. We're trying to replicate here. Thanks!
After deploying a tiny bicep file and looking at the full scope string, it appears their problem is more about the deployment not being scoped to the resource group. They are using "azd env set azure_resource_group ResourceGroupName", but the access denied PUT Deployment is just /subscription/subscriptionid/providers/microsoft.resources/deployments/deploymentname, rather than sub/subid/resourcegroups/rgname/providers/....
Aha, you're right. Victor mentioned that above:
https://github.com/Azure-Samples/azure-search-openai-demo/issues/4#issuecomment-1546070856
I will clarify in the README that there must also be a role that allows "Microsoft.Resources/deployments/write" on the subscription level, at least temporarily.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this issue will be closed.
I've made progress going at it manually, inserting service names and keys where referenced. However, I'm stuck on this one error in preparing the (sample) docs: Ensuring search index edgegrowthopenaisearchindex exists Traceback (most recent call last): File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 208, in create_search_index() File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 146, in create_search_index if args.index not in index_client.list_index_names(): File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 132, in next return next(self._page_iterator) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 76, in next self._response = self._get_next(self.continuation_token) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\search\documents\indexes_generated\operations_indexes_operations.py", line 520, in get_next raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Authorization failed.
I've done az login. I'm even hardcoded urls in case the environment wasn't reading. I've switched the key from the query key (search service) to the admin key. They do different things, but I'm pretty sure it's the query key being needed. (admin key produces Unsupported credential).
I'd appreciate any hints on what key this supposed to be, or what might cause this. I feel I'm close to getting around the prevented corp deployment. (running locally).
By getting access to Search Service Contributor Role it can be resolved.
@Timmate You can see the roles in the bottom of infra/main.bicep:
There are both user roles assigned and system roles. The user roles are primarily needed so that prepdocs.py can run locally (to process docs, compute embeddings, and upload to search index). The system roles allow the web app itself to use the OpenAI and Cognitive Search APIs, via DefaultAzureCredential and managed identity.
Is there anyway to make all the user roles via portal and use them. As i do not have access to perform Role Assignment operation. If there is anyway please let me know.
@ayus786 If you're able to make them via the Portal, then you could try that, deleting the roles from the bottom of main.bicep, and running ./scripts/prepdocs.sh once you had the roles.
@ayus786 If you're able to make them via the Portal, then you could try that, deleting the roles from the bottom of main.bicep, and running ./scripts/prepdocs.sh once you had the roles.
I am asking if there is any way to assign the roles via Portal. So, we can avoid the roleAssignment access issue.
I'm not sure whether there's a situation where you can assign in Portal but not locally, but if there is such a situation, instructions for assigning roles in Portal is here:
If you cannot be granted Microsoft.Resources/deployments/write
role on subscription level - you can use modified main.bicep. It does a resource group deployment. It worked for me.
main.bicep.txt
Review the file before using it.
You still need Owner
on resource group level.
Before running azd up
that will run modified main.bicep
script - enable resource group level deployment:
azd config set alpha.resourceGroupDeployments on
This issue is for a: (mark with an
x
)Minimal steps to reproduce
Any log messages given by the failure
Expected/desired behavior
(I already have all of these resources, the OpenAI service, two models, blob storage, search service). I changed the app.py to have those values. Not sure how to run/access it all.
OS and Version?
Versions
Mention any other details that might be useful