Open JimGaleForce opened 1 year ago
vikramhn
commented
1 year ago I agree, if the above corporate/enterprise scenario with limited rights are addressed in the reference architecture, we can get our poc’s done lot quicker when we do not have these openai instances available under our msdn subscriptions or personal ones.
JimGaleForce
commented
1 year ago I've made progress going at it manually, inserting service names and keys where referenced. However, I'm stuck on this one error in preparing the (sample) docs:
Ensuring search index edgegrowthopenaisearchindex exists
Traceback (most recent call last):
File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 208, in
I've done az login. I'm even hardcoded urls in case the environment wasn't reading. I've switched the key from the query key (search service) to the admin key. They do different things, but I'm pretty sure it's the query key being needed. (admin key produces Unsupported credential).
I'd appreciate any hints on what key this supposed to be, or what might cause this. I feel I'm close to getting around the prevented corp deployment. (running locally).
Gaigaisun
commented
1 year ago myNewOrExistingResource
Hi Jim, I also meet this issue. did you fix your issue , any suggestion for me . thanks
vhvb1989
commented
1 year ago @JimGaleForce , are you using your own subscription where your user is actually the owner ?
There's an issue in this scenario where the expected access-roles are not created and the prepdocs.py script is not able to get the index key or push files to storage.
One way to workaround this is to create another User within your Azure Active Directory with the role User Acess Administrator. Then login to azd within this user and tun azd up.
Let me know if that works for you
timmyfrazer
commented
1 year ago You're a life saver, thanks mate
chulahlou
commented
1 year ago I've made progress going at it manually, inserting service names and keys where referenced. However, I'm stuck on this one error in preparing the (sample) docs: Ensuring search index edgegrowthopenaisearchindex exists Traceback (most recent call last): File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 208, in create_search_index() File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 146, in create_search_index if args.index not in index_client.list_index_names(): File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 132, in next return next(self._page_iterator) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 76, in next self._response = self._get_next(self.continuation_token) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\search\documents\indexes_generated\operations_indexes_operations.py", line 520, in get_next raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Authorization failed.
I've done az login. I'm even hardcoded urls in case the environment wasn't reading. I've switched the key from the query key (search service) to the admin key. They do different things, but I'm pretty sure it's the query key being needed. (admin key produces Unsupported credential).
I'd appreciate any hints on what key this supposed to be, or what might cause this. I feel I'm close to getting around the prevented corp deployment. (running locally).
@JimGaleForce - DM’d you. Would you mind sharing how you deployed it manually?
timmyfrazer
commented
1 year ago @chulahlou I had the same issue. I was logging into Azure with an account that had subscription-level role assignment of Owner. The workaround was to create and use a separate account with subscription-level role assignments of Owner and User Access Administrator. I was then able to deploy as normal.
chulahlou
commented
1 year ago @timmyfrazer - thanks. The issue is the enterprise users don't have permission to elevate roles. They only have Contributor role assignments. They can create resources within an existing resource group so I'm looking for ways to stand up the application manually
cacarroll
commented
1 year ago @timmyfrazer I can confirm creating a separate account with Owner and User Access Administrator assignments allow the deployment to complete. Thank you!
wtyeung
commented
1 year ago I fixed it by changing the main.bicep to target an existing resource group.
chulahlou
commented
1 year ago I fixed it by changing the main.bicep to target an existing resource group.
Thanks @wtyeung . That also failed as they don't have permission to assign roles. In your case, do you have Owner level permission to run the bicep script?
wtyeung
commented
1 year ago Owner role in the existing resourceGroup is required. you can comment out the whole roles section and wire up manually using keys.
nkong6789
commented
1 year ago Hey, @chulahlou, have you had any success deploying this on an account with the Contributor role?
vhvb1989
commented
1 year ago @nkong6789 , the action "Microsoft.Resources/deployments/write" is required. This action is part of the Owner role.
You can also create a custom-role which includes this action and assign the custom-role to the user before deployment. After deployment you can remove the custom-role.
I got this approach from @gbecerra1982
f00z
commented
1 year ago I fixed it by changing the main.bicep to target an existing resource group.
I get "A resource with the same name cannot be created in location 'eastus'. Please select a new resource name." I thought it would use existing resources which have been set using azd env set command
juju4
commented
1 year ago Also agreed to this point with extra security care on exposed storage accounts and cognitive services. PR to added some level of validations via github or ADO pipelines: https://github.com/Azure-Samples/azure-search-openai-demo/pull/329
szelesaron
commented
1 year ago +1 this
I am the owner of the resource group, but I'm still getting the above error.
juju4
commented
1 year ago Maybe with inspiration from https://github.com/Azure-Samples/openai-python-enterprise-logging
davidwboyd
commented
11 months ago So some detailed steps in the documentation on adding the special role for a user with only contributor access to the subscription would be good.. This is a great example but a lot of what it does is opaque many of us.
juju4
commented
11 months ago Other chatgpt repo https://github.com/microsoft/azurechatgpt
Timmate
commented
10 months ago Can someone explain why we even need role assignments for this repo? I mean, you can typically deploy resources just fine w/o it
pamelafox
commented
10 months ago @Timmate You can see the roles in the bottom of infra/main.bicep:
There are both user roles assigned and system roles. The user roles are primarily needed so that prepdocs.py can run locally (to process docs, compute embeddings, and upload to search index). The system roles allow the web app itself to use the OpenAI and Cognitive Search APIs, via DefaultAzureCredential and managed identity.
mzhadigerov
commented
10 months ago so, in short, we cannot deploy this app with only "Contributor" role, right?
pamelafox
commented
9 months ago Hi all-
We've clarified on the README that at the minimum, you need the RBAC role, or the RBAC role scoped to an existing resource group: https://github.com/Azure-Samples/azure-search-openai-demo#azure-account-requirements
We're interested to hear if your employers are able to give you that level of access (especially resource group scoped) or if that is still high of a level of access.
I also documented in another issue how to manually assign the roles in the Portal, but I assume that will only work if you have RBAC access for that RG:
https://github.com/Azure-Samples/azure-search-openai-demo/issues/634#issuecomment-1721699823
If you cannot be granted RBAC at the resource group level, then I think the only other approach is to use keys instead of managed identity. That should be possible with changes to the credentials in app.py. We generally discourage keys when possible, however, so we haven't yet enabled that in the repo.
bosco777
commented
9 months ago We've clarified on the README that at the minimum, you need the RBAC role, or the RBAC role scoped to an existing resource group: https://github.com/Azure-Samples/azure-search-openai-demo#azure-account-requirements
We're interested to hear if your employers are able to give you that level of access (especially resource group scoped) or if that is still high of a level of access.
I've granted one of our developers the owner role for a resource group, and the Role Based Access Control Adminstrator (Preview) role at the resource group level. He still gets an error. Some have mentioned 'User Access Administrator. I've granted him that role at the resource group and will report back the results.
pamelafox
commented
9 months ago @bosco777 Can you clarify which error they get? Just want to make sure the error they're getting is the role error. We're trying to replicate here. Thanks!
bosco777
commented
9 months ago After deploying a tiny bicep file and looking at the full scope string, it appears their problem is more about the deployment not being scoped to the resource group. They are using "azd env set azure_resource_group ResourceGroupName", but the access denied PUT Deployment is just /subscription/subscriptionid/providers/microsoft.resources/deployments/deploymentname, rather than sub/subid/resourcegroups/rgname/providers/....
pamelafox
commented
9 months ago Aha, you're right. Victor mentioned that above:
https://github.com/Azure-Samples/azure-search-openai-demo/issues/4#issuecomment-1546070856
I will clarify in the README that there must also be a role that allows "Microsoft.Resources/deployments/write" on the subscription level, at least temporarily.
github-actions[bot]
commented
6 months ago This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this issue will be closed.
ayus786
commented
4 months ago I've made progress going at it manually, inserting service names and keys where referenced. However, I'm stuck on this one error in preparing the (sample) docs: Ensuring search index edgegrowthopenaisearchindex exists Traceback (most recent call last): File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 208, in create_search_index() File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 146, in create_search_index if args.index not in index_client.list_index_names(): File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 132, in next return next(self._page_iterator) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 76, in next self._response = self._get_next(self.continuation_token) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\search\documents\indexes_generated\operations_indexes_operations.py", line 520, in get_next raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Authorization failed.
I've done az login. I'm even hardcoded urls in case the environment wasn't reading. I've switched the key from the query key (search service) to the admin key. They do different things, but I'm pretty sure it's the query key being needed. (admin key produces Unsupported credential).
I'd appreciate any hints on what key this supposed to be, or what might cause this. I feel I'm close to getting around the prevented corp deployment. (running locally).
By getting access to Search Service Contributor Role it can be resolved.
ayus786
commented
4 months ago @Timmate You can see the roles in the bottom of infra/main.bicep:
There are both user roles assigned and system roles. The user roles are primarily needed so that prepdocs.py can run locally (to process docs, compute embeddings, and upload to search index). The system roles allow the web app itself to use the OpenAI and Cognitive Search APIs, via DefaultAzureCredential and managed identity.
Is there anyway to make all the user roles via portal and use them. As i do not have access to perform Role Assignment operation. If there is anyway please let me know.
pamelafox
commented
4 months ago @ayus786 If you're able to make them via the Portal, then you could try that, deleting the roles from the bottom of main.bicep, and running ./scripts/prepdocs.sh once you had the roles.
ayus786
commented
4 months ago @ayus786 If you're able to make them via the Portal, then you could try that, deleting the roles from the bottom of main.bicep, and running ./scripts/prepdocs.sh once you had the roles.
I am asking if there is any way to assign the roles via Portal. So, we can avoid the roleAssignment access issue.
pamelafox
commented
4 months ago I'm not sure whether there's a situation where you can assign in Portal but not locally, but if there is such a situation, instructions for assigning roles in Portal is here:
tomitomasino
commented
2 months ago If you cannot be granted Microsoft.Resources/deployments/write role on subscription level - you can use modified main.bicep. It does a resource group deployment. It worked for me.
main.bicep.txt
Review the file before using it.
You still need Owner on resource group level.
Before running azd up that will run modified main.bicep script - enable resource group level deployment:
azd config set alpha.resourceGroupDeployments on
This issue is for a: (mark with an
x)Minimal steps to reproduce
Any log messages given by the failure
Expected/desired behavior
(I already have all of these resources, the OpenAI service, two models, blob storage, search service). I changed the app.py to have those values. Not sure how to run/access it all.
OS and Version?
Versions
Mention any other details that might be useful