search

Azure / azure-sdk-for-go

This repository is for active development of the Azure SDK for Go. For consumers of the SDK we recommend visiting our public developer docs at:
https://docs.microsoft.com/azure/developer/go/
MIT License
1.62k stars 823 forks source link

azure openai cognitive search chat extension not working with azidentity authentication #21631

Closed BlauerPulli closed 1 year ago

BlauerPulli commented 1 year ago

Bug report

Hey, i am using my gpt model deployed in a azure openai instance via DefaultAzureCredential mechanism from the azidentity package which works very well with my local az login + managed identity of the hosted application. If i now extend the chatcompletions request with options for using my cognitive search index it only works if i add the required marked search key. This shouldn't be the case if the authentication workflow for the whole openai client works properly. To exclude azure rbac issues i assigned the openai instances identity also owner permissions over the resource group that contains the whole setup.

Additional Info (not really know if this is helpful here): Found the cognitive search setting API access control under Keys to which was per default API keys. It dropped this error: Invalid AzureCognitiveSearch configuration detected: Azure Search Error: 403, message='Server responded with status 403. Error message: ', url=URL('<instance-url>/indexes/<index-name>?api-version=2021-04-30-Preview')\nServer responded with status 403.

Switch it to Both this error message appears: Error with API access control is: Gateway cannot authenticate upstream services. Please contact Microsoft for help.

Thanks in advance for your help!

richardpark-msft commented 1 year ago

@trrwilson, do you know if this setup is intended to work with Identity? Or is using an APIKey the only way it works?

trrwilson commented 1 year ago

Thanks for the tag, @richardpark-msft ! @BlauerPulli -- thank you for the detailed description and it's certainly nothing on your end; the Use Your Data feature (via the underlying /extensions/chat/completions REST route) currently only handles linked resource authentication via API key use. Incorporating other authentication options is something the feature team is actively investigating and, while we can't yet put an ETA in writing, we're optimistic it'll be "soon."

BlauerPulli commented 1 year ago

Hey @trrwilson, thanks for the answer. It's nice to hear that this will coming soon!