search

Azure-Samples / azure-search-openai-demo

A sample app for the Retrieval-Augmented Generation pattern running in Azure, using Azure AI Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
https://azure.microsoft.com/products/search
MIT License
6.37k stars 4.26k forks source link

How to add System Identities(User) manually for backend service. #634

Closed namratam30 closed 1 year ago

namratam30 commented 1 year ago

Please provide us with the following information:

This issue is for a: (mark with an x)

I can not create roles from the application. I am using existing OpenAI service. Can anyone tell me how to add  Syatem identities (roles) for backend service manually. Basically i want to add these role manually. Here is the code for reference-
// SYSTEM IDENTITIES
module openAiRoleBackend 'core/security/role.bicep' = {
  scope: openAiResourceGroup
  name: 'openai-role-backend'
  params: {
    principalId: backend.outputs.identityPrincipalId
    roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
    principalType: 'ServicePrincipal'
  }
}

module storageRoleBackend 'core/security/role.bicep' = {
  scope: storageResourceGroup
  name: 'storage-role-backend'
  params: {
    principalId: backend.outputs.identityPrincipalId
    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
    principalType: 'ServicePrincipal'
  }
}

module searchRoleBackend 'core/security/role.bicep' = {
  scope: searchServiceResourceGroup
  name: 'search-role-backend'
  params: {
    principalId: backend.outputs.identityPrincipalId
    roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f'
    principalType: 'ServicePrincipal'
  }
}
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Any log messages given by the failure

Expected/desired behavior

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

azd version?

run azd version and copy paste here.

Versions

Mention any other details that might be useful

Thanks! We'll be in touch soon.

pamelafox commented 1 year ago

We have the existing script that sets up the roles for a user:

https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/scripts/roles.sh

You would need to enable managed identity for your app service app in the Identity tab, copy that principal id, and run it in the script.

Screenshot 2023-09-14 at 5 53 46 AM
namratam30 commented 1 year ago

I can't run the script as i don't have access. Is there anyway to create this identity from Azure portal.

pamelafox commented 1 year ago

Please let us know if that worked for you. I'm curious why you'd be able to do that in the Portal but not able to do it via the script, I thought the permissions would be the same.

manunair1990 commented 1 year ago

We have the existing script that sets up the roles for a user:

https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/scripts/roles.sh

You would need to enable managed identity for your app service app in the Identity tab, copy that principal id, and run it in the script.

Screenshot 2023-09-14 at 5 53 46 AM

Hi @pamelafox

I tried to run the code with existing resources created by the owner. And i have RBAC role in the Resource group level. But i couldn't get access to enable managed identity for my app service in the Identity tab and though couldn't copy that principal id. Then how can i run the code with only RBAC role to the resource group. Please help me.

And got the error when I try to assign the roles mannually.

Failed to add "WebAPP resource" as Cognitive Services OpenAI User for "Resource group name" : The client 'XXX@XXX.com' with object id '33e66c54-5b0d-475a-9b18-6d4ee4b59310' has an authorization with ABAC condition that is not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/XXX/resourceGroups/"Resource group name"/providers/Microsoft.Authorization/roleAssignments/fcce671d-a4e1-4ea5-98ea-02cc62a8be2c' or the scope is invalid. If access was recently granted, please refresh your credentials..

ayus786 commented 9 months ago
  • First, make sure that your app service app has Managed identity enabled: Screenshot 2023-09-15 at 11 41 00 AM
  • Then click the "Azure role assignments" button on that screen. Screenshot 2023-09-15 at 11 42 11 AM

  • Select "+ Add role assignment" from that screen.

    • For scope, select "Resource group".
    • For role, select "Cognitive Services OpenAI user".

    Screenshot 2023-09-15 at 11 42 51 AM

  • Repeat for roles "Storage Blob Data Reader" and "Search Index Data Reader".
  • When done, your role assignments should look like: Screenshot 2023-09-15 at 11 43 54 AM

Please let us know if that worked for you. I'm curious why you'd be able to do that in the Portal but not able to do it via the script, I thought the permissions would be the same.

It is working but it's giving responses outside of the resources provided.

pamelafox commented 9 months ago

@ayus786 Please see this guide for tips on debugging low quality answers:

https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/docs/customization.md#improving-answer-quality

I haven't experienced it giving responses outside of the resources provided, but that can vary across domain, so you may need to do additional prompt engineering or try GPT-4.