search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.37k stars 4.79k forks source link

[BUG] Azure.AI.OpenAI Authorization fails #46590

Open vRune4 opened 1 week ago

vRune4 commented 1 week ago

Library name and version

Azure.AI.OpenAI 2.0.0

Describe the bug

I have an existing project that works fine with an API key, but I want to use RBAC instead.

I've assigned myself the 'Cognitive Services OpenAI Contributor' role and I'm executing code that looks something like this:

var azureOpenAIClient = new AzureOpenAIClient(aiServiceEndpoint, new DefaultAzureCredential());
var embeddingClient = azureOpenAIClient.GetEmbeddingClient(embeddingModelName);
var embeddingResponse = await embeddingClient.GenerateEmbeddingsAsync(new List<string> { chunk });

This project also connects to the Search Service, and that works fine with RBAC. That said, there are a dozen roles to choose from, and maybe I just haven't hit the right one yet. (feels like I've tried them all by now though)

Expected behavior

Should return a valid result.

Actual behavior

Throws exception.

Log:

[Informational] Azure-Identity: VisualStudioCredential.GetToken invoked. Scopes: [ https://cognitiveservices.azure.com/.default ] ParentRequestId: b17173fc-de25-42fa-964f-79914e44670c
[Informational] Azure-Identity: VisualStudioCredential.GetToken succeeded. Scopes: [ https://cognitiveservices.azure.com/.default ] ParentRequestId: b17173fc-de25-42fa-964f-79914e44670c ExpiresOn: 2024-10-14T13:30:59.5318802+00:00
[Informational] Azure-Identity: DefaultAzureCredential credential selected: Azure.Identity.VisualStudioCredential
[Informational] Azure-Identity: DefaultAzureCredential.GetToken succeeded. Scopes: [ https://cognitiveservices.azure.com/.default ] ParentRequestId: b17173fc-de25-42fa-964f-79914e44670c ExpiresOn: 2024-10-14T13:30:59.5318802+00:00
Unhandled exception. System.ClientModel.ClientResultException: Service request failed.
Status: 401 (Unauthorized)

   at Azure.AI.OpenAI.ClientPipelineExtensions.ProcessMessageAsync(ClientPipeline pipeline, PipelineMessage message, RequestOptions options)
   at Azure.AI.OpenAI.Embeddings.AzureEmbeddingClient.GenerateEmbeddingsAsync(BinaryContent content, RequestOptions options)
   at OpenAI.Embeddings.EmbeddingClient.GenerateEmbeddingsAsync(IEnumerable`1 inputs, EmbeddingGenerationOptions options, CancellationToken cancellationToken)
   at DownloadEmails.Services.SearchService.GenerateEmbeddingAsync(EmbeddingClient embeddingClient, String chunk) in C:\repos\visma\llm-mail-import\src\DownloadEmails\SearchService.cs:line 212
   at DownloadEmails.Services.SearchService.IndexTicketDocumentsAsync(TicketInfo ticket, SearchClient searchClient, EmbeddingClient embeddingClient) in C:\repos\visma\llm-mail-import\src\DownloadEmails\SearchService.cs:line 182
   at DownloadEmails.Services.SearchService.IndexNewDocumentsAsync(List`1 data, SearchClient searchClient, EmbeddingClient embeddingClient) in C:\repos\visma\llm-mail-import\src\DownloadEmails\SearchService.cs:line 127
   at DownloadEmails.Services.SearchService.CreateIndexAndPushDataAsync(List`1 data) in C:\repos\visma\llm-mail-import\src\DownloadEmails\SearchService.cs:line 57
   at DownloadEmails.Workers.WorkerClass.ExecuteAsync() in C:\repos\visma\llm-mail-import\src\DownloadEmails\WorkerClass.cs:line 31
   at Program.<Main>$(String[] args) in C:\repos\visma\llm-mail-import\src\DownloadEmails\Program.cs:line 51
   at Program.<Main>(String[] args)

Error response:

{{ "statusCode": 401, "message": "Unauthorized. Access token is missing, invalid, audience is incorrect (https://cognitiveservices.azure.com), or have expired." }}

Reproduction Steps

  1. Write code (see description)
  2. Assign yourself the 'Cognitive Services OpenAI Contributor' role
  3. Make sure your VS Azure credential is signed in
  4. Run

Environment

github-actions[bot] commented 1 week ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

github-actions[bot] commented 1 week ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @jpalvarezl @ralph-msft @trrwilson.

AngelosP commented 3 days ago

Hi @vRune4,

Can you please provide more details on how you've assigned yourself the 'Cognitive Services OpenAI Contributor' role? Also, what type of .NET project are you using?

/cc @scottaddie

vRune4 commented 1 day ago

I assigned myself that role through the portal.

Get-AzRoleAssignment | where Scope -eq '/subscriptions/$mysub/resourceGroups/rg-mine-dev/providers/Microsoft.CognitiveServices/accounts/oai-mine-dev' returns this:

Scope              : /subscriptions/$mysub/resourceGroups/rg-mine-dev/providers/Microsoft
                     .CognitiveServices/accounts/oai-mine-dev
DisplayName        : <my user>
RoleDefinitionName : Cognitive Services OpenAI Contributor

This is a plain standard .net 8 console project.