search

microsoft / sample-app-aoai-chatGPT

Sample code for a simple web chat experience through Azure OpenAI, including Azure OpenAI On Your Data.
MIT License
1.55k stars 2.4k forks source link

Error (code ManagedIdentityIsNotEnabled) after deploy a web app from AI Studio #1024

Open Katerina-Chernevskaya opened 1 month ago

Katerina-Chernevskaya commented 1 month ago

Describe the bug Hi,

I hope this is the right place to ask this question. I'm experiencing a repeatable issue when deploying a web app using the button in AI Studio. Since yesterday, every time I deploy the web app and send any text, I receive the same error message:

Error code: 400 - {'error': {'requestid': '010babac-56b0-4756-9807-7f3703fc88bb', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}

I've tested in several tenants. Deployed resources both with Bicep scripts and manually. The issue reproduces every time.

To Reproduce Steps to reproduce the behavior:

  1. Go to Chat section in the AI Project (assume that gpt-4 model was deployed in advance).
  2. Click on 'Add your data'.
  3. Add an index.
  4. Click on Deploy to a web app.
  5. Complete the form (either Create a new web app or Update an existing web app) and enable chat history.
  6. Click Deploy.
  7. Wait till the web app will be deployed (or updated).
  8. Open the created (updated) web app.
  9. Send "hi".
  10. See error

Expected behavior The web app should reply something like "Hi" without any errors.

Screenshots image

Configuration: Please provide the following

Output:

{
  "runtime": "PYTHON|3.11",
  "startupCommand": "python3 -m gunicorn app:app"
}

Logs

  1. If the application deployment is failing, please share the deployment logs using the following az CLI command:

    az webapp log deployment show --name <app name> --resource-group <rg name>

    N/A

  2. If the application is crashing after deployment, please share the application logs using the following az CLI command:

    az webapp log tail --name <app name> --resource-group <resource group name>

Output:

2024-07-26T06:19:11  Welcome, you are now connected to log-streaming service.
Starting Log Tail -n 10 of existing logs ----
/appsvctmp/volatile/logs/runtime/container.log
2024-07-26T06:04:40.4897229Z            ^^^^^^^^^^^^^^^^^
2024-07-26T06:04:40.4897262Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post
2024-07-26T06:04:40.4897293Z     return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls)
2024-07-26T06:04:40.4897348Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:04:40.4897380Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request
2024-07-26T06:04:40.4897407Z     return await self._request(
2024-07-26T06:04:40.4897434Z            ^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:04:40.4897468Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request
2024-07-26T06:04:40.4897781Z     raise self._make_status_error_from_response(err.response) from None
2024-07-26T06:04:40.4897863Z openai.BadRequestError: Error code: 400 - {'error': {'requestid': '010babac-56b0-4756-9807-7f3703fc88bb', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}
Ending Log Tail of existing logs ---
Starting Live Log Stream ---
2024-07-26T06:19:27.7903526Z ERROR:root:Exception in send_chat_request
2024-07-26T06:19:27.7924534Z Traceback (most recent call last):
2024-07-26T06:19:27.7924630Z   File "/tmp/8dcad37dd7c728a/app.py", line 318, in send_chat_request
2024-07-26T06:19:27.7924663Z     raw_response = await azure_openai_client.chat.completions.with_raw_response.create(**model_args)   
2024-07-26T06:19:27.7924696Z                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   
2024-07-26T06:19:27.7924726Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_response.py", line 262, in wrapped
2024-07-26T06:19:27.7924754Z     return cast(APIResponse[R], await func(*args, **kwargs))
2024-07-26T06:19:27.7924782Z                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7924850Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/resources/chat/completions.py", line 1295, in create
2024-07-26T06:19:27.7924881Z     return await self._post(
2024-07-26T06:19:27.7924908Z            ^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7924937Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post
2024-07-26T06:19:27.7924968Z     return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls)
2024-07-26T06:19:27.7924996Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7925026Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request
2024-07-26T06:19:27.7925052Z     return await self._request(
2024-07-26T06:19:27.7925092Z            ^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7925123Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request
2024-07-26T06:19:27.7925153Z     raise self._make_status_error_from_response(err.response) from None
2024-07-26T06:19:27.7925206Z openai.BadRequestError: Error code: 400 - {'error': {'requestid': '61184aca-fc0b-4f56-99c0-ab7dd94d3a54', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}
2024-07-26T06:19:27.7925779Z ERROR:root:Error code: 400 - {'error': {'requestid': '61184aca-fc0b-4f56-99c0-ab7dd94d3a54', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}
2024-07-26T06:19:27.7925832Z Traceback (most recent call last):
2024-07-26T06:19:27.7925863Z   File "/tmp/8dcad37dd7c728a/app.py", line 358, in conversation_internal
2024-07-26T06:19:27.7925892Z     result = await stream_chat_request(request_body, request_headers)
2024-07-26T06:19:27.7925922Z              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7925950Z   File "/tmp/8dcad37dd7c728a/app.py", line 345, in stream_chat_request
2024-07-26T06:19:27.7925978Z     response, apim_request_id = await send_chat_request(request_body, request_headers)
2024-07-26T06:19:27.7926007Z                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926033Z   File "/tmp/8dcad37dd7c728a/app.py", line 323, in send_chat_request
2024-07-26T06:19:27.7926075Z     raise e
2024-07-26T06:19:27.7926105Z   File "/tmp/8dcad37dd7c728a/app.py", line 318, in send_chat_request
2024-07-26T06:19:27.7926136Z     raw_response = await azure_openai_client.chat.completions.with_raw_response.create(**model_args)   
2024-07-26T06:19:27.7926167Z                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   
2024-07-26T06:19:27.7926199Z   File "/tmp/8dcad37dd7c728a/antenv/lib/pyth
on3.11/site-packages/openai/_response.py", line 262, in wrapped
2024-07-26T06:19:27.7926232Z     return cast(APIResponse[R], await func(*args, **kwargs))
2024-07-26T06:19:27.7926264Z                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926315Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/resources/chat/completions.py", line 1295, in create
2024-07-26T06:19:27.7926344Z     return await self._post(
2024-07-26T06:19:27.7926371Z            ^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926402Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post
2024-07-26T06:19:27.7926433Z     return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls)
2024-07-26T06:19:27.7926464Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926499Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request
2024-07-26T06:19:27.7926530Z     return await self._request(
2024-07-26T06:19:27.7926574Z            ^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926611Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request
2024-07-26T06:19:27.7926643Z     raise self._make_status_error_from_response(err.response) from None
2024-07-26T06:19:27.7926692Z openai.BadRequestError: Error code: 400 - {'error': {'requestid': '61184aca-fc0b-4f56-99c0-ab7dd94d3a54', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}
harshbangad commented 1 month ago

I am getting the same error. The chat playground works great but webapp gives the error. I have deployed to a webapp similarly before but started getting this error today. The prior deployed webapps work fine.

raju-celerinn commented 1 month ago

I am getting the same error. The chat playground works great but webapp gives the error.

harshbangad commented 1 month ago

@sarah-widder This is the bug i was referring to.

wangyuantao commented 1 month ago

We are investigating. As mitigation, can you try enable managed identity of azure openAI resource, and add role assignment from azure openAI's identity to search resource? See https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely

niallmcnulty commented 1 month ago

I am getting the same error. The chat playground works great but webapp gives the error. I have deployed to a webapp similarly before but started getting this error today. The prior deployed webapps work fine.

Same here - exactly the same use case. Was working fine, now not

harshbangad commented 1 month ago

@wangyuantao Tried that. Enabled identity for both search and open ai resource. Also redeployed web app. The error changed but still not working. Attaching screenshot image

kazmiruk commented 1 month ago

@wangyuantao have the same error (initial one) and tried your workaround - got the same error as @harshbangad above

wangyuantao commented 1 month ago

There are some known issues in AOAI Studio for the "deploy web app" feature. Please file support tickets so the support team can troubleshoot and suggest workaround.

harshbangad commented 1 month ago

@wangyuantao Can you please add add someone from that team or add the link for the same? Thank you.

iamramengirl commented 1 month ago

Still occurring, could someone please update on the status of this issue?

harshbangad commented 1 month ago

@aahill @wangyuantao @yuantao-wang @mrbullwinkle

abhahn commented 1 month ago

Hi @harshbangad , I just want to confirm a few details with you about your app configuration to see if we can determine a workaround on the webapp side while we are working out issues on the studio deployment side.

  1. Is the Azure Search index you're using a vector index?
  2. Can you confirm that you are attempting to use system-assigned managed identity for authentication between resources?
  3. Could you tell me which of the following variables are set in your environment? I don't need specific values, just whether or not they are set: AZURE_OPENAI_EMBEDDING_ENDPOINT, AZURE_OPENAI_EMBEDDING_KEY, AZURE_OPENAI_EMBEDDING_NAME, AZURE_OPENAI_KEY, AZURE_SEARCH_KEY
  4. If attempting to use MI, can you confirm the following RBAC settings on each resource?
Role Assignee Resource
Search Index Data Reader Azure OpenAI (Inference) Azure AI Search
Search Service Contributor Azure OpenAI (Inference) Azure AI Search
Cognitive Services OpenAI User Web app Azure OpenAI (Inference)
harshbangad commented 1 month ago

Thanks for the response @abhahn

  1. The azure search index is hybrid (vector + keyword)
  2. Yes, system assigned managed identity
  3. Using default. Did not change any of these. I am just adding my index on Azure AI Studio playground where it works and then deploy as webapp.
  4. This is where i believe there is the issue. Before Microsoft made changes, the role assigned was contributor for the open ai for the search resource and worked fine. Now the documentation says making it "Cognitive services open ai contributor". I see that role in overall roles but when we select add role assignment for the search resource and then select the open ai resource- the cognitive service openai user does not appear in the option. I added "search index data contributor" roles for the open ai resource on the search resource. Even tried making the network public. still does not work. I tried the same using open ai studio as well and got the following error in adding a new data source itself. The issue seems with the new role of "Cognitive services open AI contributor" image
raju-celerinn commented 1 month ago

Try using the API keys instead of managed identities. It is working

From: Harsh Bangad @.> Sent: Wednesday, August 7, 2024 10:39 AM To: microsoft/sample-app-aoai-chatGPT @.> Cc: Narasimha Raju @.>; Comment @.> Subject: Re: [microsoft/sample-app-aoai-chatGPT] Error (code ManagedIdentityIsNotEnabled) after deploy a web app from AI Studio (Issue #1024)

Thanks for the response @abhahnhttps://github.com/abhahn

  1. The azure search index is hybrid (vector + keyword)
  2. Yes, system assigned managed identity
  3. Using default. Did not change any of these. I am just adding my index on Azure AI Studio playground where it works and then deploy as webapp.
  4. This is where i believe there is the issue. Before Microsoft made changes, the role assigned was contributor for the open ai for the search resource and worked fine. Now the documentation says making it "Cognitive services open ai contributor". I see that role in overall roles but when we select add role assignment for the search resource and then select the open ai resource- the cognitive service openai user does not appear in the option. Even tried making the network public. still does not work.

I tried the same using open ai studio as well and got the following error in adding a new data source itself. The issue is with the new role of "Cognitive services open AI User" image.png (view on web)https://github.com/user-attachments/assets/0c138aeb-e8b3-4f56-9cf9-77bdaec86005

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/sample-app-aoai-chatGPT/issues/1024#issuecomment-2272628036, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJ7BMVV44SP2RWPMFVDDKK3ZQGTYDAVCNFSM6AAAAABLP4LZLOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZSGYZDQMBTGY. You are receiving this because you commented.Message ID: @.***>

abhahn commented 1 month ago

@harshbangad , I have also noticed that sometimes I am not able to find the correct roles in the Azure portal when attempting to do the assignment.

There is another way to do it through the az CLI which seems to always work for me. Here is the general format of the command that I sometimes use to set up my roles:

az role assignment create --assignee-object-id <system assigned MI object id> --role "<insert role name here>" --scope /subscriptions/<sub id>/resourceGroups/<rg name>/providers/...

For the above you will need to substitute your details into each command for each role you want to apply. For example, if I wanted to assign "Search Index Data Reader" to my AOAI resource, I would substitute <system assigned MI object id> with the MI object ID for my AOAI resource, use "Search Index Data Reader" as the role name, and the full resource path to my search resource (beginning with /subscriptions) as the value for scope. You can modify this command for each of the roles you want to apply for your resources. A comprehensive list of roles can be found in our docs here: https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#role-assignments

Aside from the role assignments being correct, there are just a few other things to check: 1) Is your app using the latest code in our repo? I just recently pushed a change to support system-assigned MI for the embedding dependency, so if your app was deployed prior to the merging of PR #1041 you may need to sync with the latest as a part of the mitigation. 2) When using system assigned managed identity, you need to also be sure to delete the keys from your environment. I just deployed a webapp from the Azure OpenAI Studio and did not see keys added to the environment as of today, but you should double check your App Service environment variables to be sure none of the keys are there. If they are set, you can just delete them and restart the app. The relevant environment variables are AZURE_OPENAI_KEY, AZURE_SEARCH_KEY, and AZURE_OPENAI_EMBEDDING_KEY.

What @raju-celerinn has suggested would also work, if you are okay with continuing to use keys. However, for system-assigned MI the most important thing is to be sure that role assignments are correct on resources, you're using the latest code, and the environment does not contain any keys.

Let me know if this helps.

iamramengirl commented 1 month ago

The engineering team is currently working on this and will roll out a fix in about 2 weeks' time.

For the time being, there is a workaround for this, if anyone is referencing this issue.

I. RBAC access control If your Azure AI Search resource is using Role Based Access Control, you have to allow each service identity-based access to each other. The steps I followed are: 1) Verify that the API access control configuration of the Azure AI Search is RBAC or both. 2) Enable the MI (Managed Identity) for Azure OpenAI and AI Search resources and grant the required RBAC permission following the chart in this documentation. https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#role-assignments. Note: The Web App should have automatically been assigned an MI already so there is no need to enable this manually. After which, assign the required RBAC permission for the web app's MI on the Azure OpenAI resource following the above table.

II. API keys access control Alternatively, if your AI Search resource's access control is configured to API keys only, it is required to manually configure the web app environment variable AZURE_SEARCH_KEY as this will be assigned no value by default. If this variable is empty, the authentication to AI search appears to revert to Role-based access by default. Please also ensure that the AZURE_OPENAI_KEY environment variable is populated.

Hope this helps.

harshbangad commented 4 weeks ago

I was able to add the roles through azure portal and got it working. Just a note to add, some of the permissions did not have the option at resource level but subscription/ resource group level. Hopefully Microsoft fixes this soon. Thanks for the help.

chengyuliu-msft commented 3 weeks ago

Thanks @iamramengirl. It works!!!

Number9Solutions commented 1 week ago

@iamramengirl , you mentioned that someone was working on a fix. Is this still in progress?

imsantoshg commented 1 week ago

For the ones who could not apply the workaround, as its bit difficult to understand in first place. Had to seek help from GPT to apply it step by step.

  1. Verify that the API access control configuration of the Azure AI Search is RBAC or both.

--- Inside Azure Search > Visit Keys > API Access control > Select RBAC or both

  1. When it comes to applying the permissions from the table suggested above, follow here.

1. Search Index Data Reader Role for Azure OpenAI on Azure AI Search

2. Search Service Contributor Role for Azure OpenAI on Azure AI Search

3. Storage Blob Data Contributor Role for Azure OpenAI on Storage Account

4. Cognitive Services OpenAI Contributor Role for Azure AI Search on Azure OpenAI

5. Storage Blob Data Reader Role for Azure AI Search on Storage Account

6. Cognitive Services OpenAI User Role for Web App on Azure OpenAI

Summary:

Each step involves navigating to the relevant Azure resource, accessing the "Access control (IAM)" section, and adding the appropriate role for the managed identity of another service that needs to interact with it. This setup ensures that each service can perform its necessary functions, such as reading data, querying schemas, creating resources, and invoking custom skills, while maintaining security through Azure's RBAC system.

iamramengirl commented 1 week ago

@Number9Solutions Per the last communication with Engineering team, it should be fixed by this time. However, I have not tested yet.

@imsantoshg I'm sorry the workaround steps were not easy to understand. I believe this documentation link summarizes the required RBAC for each service. https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#role-assignments.

jppech commented 6 days ago
Capture d’écran 2024-09-01 170504

issue is still not fixed :(

niallmcnulty commented 6 days ago

I redeployed the app, and it is working for me on an existing web app.

I then tried it on a new webapp and got the same error (exactly the same settings as the working one)

On Sun, 01 Sep 2024 at 17:06, jppech @.***> wrote:

Capture.d.ecran.2024-09-01.170504.png (view on web) https://github.com/user-attachments/assets/e6a51f6a-60c3-4442-9a96-2062b0a3379c issue is still not fixed :(

— Reply to this email directly, view it on GitHub https://github.com/microsoft/sample-app-aoai-chatGPT/issues/1024#issuecomment-2323384035, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZWXOO6UKZ24EUYRLG77O3ZUMUORAVCNFSM6AAAAABLP4LZLOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRTGM4DIMBTGU . You are receiving this because you commented.Message ID: @.***>

joacosnchz commented 3 days ago

Hi @harshbangad , I just want to confirm a few details with you about your app configuration to see if we can determine a workaround on the webapp side while we are working out issues on the studio deployment side.

  1. Is the Azure Search index you're using a vector index?
  2. Can you confirm that you are attempting to use system-assigned managed identity for authentication between resources?
  3. Could you tell me which of the following variables are set in your environment? I don't need specific values, just whether or not they are set: AZURE_OPENAI_EMBEDDING_ENDPOINT, AZURE_OPENAI_EMBEDDING_KEY, AZURE_OPENAI_EMBEDDING_NAME, AZURE_OPENAI_KEY, AZURE_SEARCH_KEY
  4. If attempting to use MI, can you confirm the following RBAC settings on each resource?

Role Assignee Resource Search Index Data Reader Azure OpenAI (Inference) Azure AI Search Search Service Contributor Azure OpenAI (Inference) Azure AI Search Cognitive Services OpenAI User Web app Azure OpenAI (Inference)

This solved it for me. The created web app deployment did not include some of these environment variables so I had to fill them manually.

In my case, I kept the api keys authentication. I had to fill AZURE_SEARCH_KEY using the key that appears on the Azure Search resource > Settings > Keys and AZURE_OPENAI_EMBEDDING_NAME with the name of the deployed embedding model, in my case text-embedding-ada-002.

Hope this helps for future reference.