Open Katerina-Chernevskaya opened 4 months ago
I am getting the same error. The chat playground works great but webapp gives the error. I have deployed to a webapp similarly before but started getting this error today. The prior deployed webapps work fine.
I am getting the same error. The chat playground works great but webapp gives the error.
@sarah-widder This is the bug i was referring to.
We are investigating. As mitigation, can you try enable managed identity of azure openAI resource, and add role assignment from azure openAI's identity to search resource? See https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely
I am getting the same error. The chat playground works great but webapp gives the error. I have deployed to a webapp similarly before but started getting this error today. The prior deployed webapps work fine.
Same here - exactly the same use case. Was working fine, now not
@wangyuantao Tried that. Enabled identity for both search and open ai resource. Also redeployed web app. The error changed but still not working. Attaching screenshot
@wangyuantao have the same error (initial one) and tried your workaround - got the same error as @harshbangad above
There are some known issues in AOAI Studio for the "deploy web app" feature. Please file support tickets so the support team can troubleshoot and suggest workaround.
@wangyuantao Can you please add add someone from that team or add the link for the same? Thank you.
Still occurring, could someone please update on the status of this issue?
@aahill @wangyuantao @yuantao-wang @mrbullwinkle
Hi @harshbangad , I just want to confirm a few details with you about your app configuration to see if we can determine a workaround on the webapp side while we are working out issues on the studio deployment side.
AZURE_OPENAI_EMBEDDING_ENDPOINT
, AZURE_OPENAI_EMBEDDING_KEY
, AZURE_OPENAI_EMBEDDING_NAME
, AZURE_OPENAI_KEY
, AZURE_SEARCH_KEY
Role | Assignee | Resource |
---|---|---|
Search Index Data Reader |
Azure OpenAI (Inference) | Azure AI Search |
Search Service Contributor |
Azure OpenAI (Inference) | Azure AI Search |
Cognitive Services OpenAI User |
Web app | Azure OpenAI (Inference) |
Thanks for the response @abhahn
Try using the API keys instead of managed identities. It is working
From: Harsh Bangad @.> Sent: Wednesday, August 7, 2024 10:39 AM To: microsoft/sample-app-aoai-chatGPT @.> Cc: Narasimha Raju @.>; Comment @.> Subject: Re: [microsoft/sample-app-aoai-chatGPT] Error (code ManagedIdentityIsNotEnabled) after deploy a web app from AI Studio (Issue #1024)
Thanks for the response @abhahnhttps://github.com/abhahn
I tried the same using open ai studio as well and got the following error in adding a new data source itself. The issue is with the new role of "Cognitive services open AI User" image.png (view on web)https://github.com/user-attachments/assets/0c138aeb-e8b3-4f56-9cf9-77bdaec86005
— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/sample-app-aoai-chatGPT/issues/1024#issuecomment-2272628036, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJ7BMVV44SP2RWPMFVDDKK3ZQGTYDAVCNFSM6AAAAABLP4LZLOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZSGYZDQMBTGY. You are receiving this because you commented.Message ID: @.***>
@harshbangad , I have also noticed that sometimes I am not able to find the correct roles in the Azure portal when attempting to do the assignment.
There is another way to do it through the az
CLI which seems to always work for me. Here is the general format of the command that I sometimes use to set up my roles:
az role assignment create --assignee-object-id <system assigned MI object id> --role "<insert role name here>" --scope /subscriptions/<sub id>/resourceGroups/<rg name>/providers/...
For the above you will need to substitute your details into each command for each role you want to apply. For example, if I wanted to assign "Search Index Data Reader" to my AOAI resource, I would substitute <system assigned MI object id>
with the MI object ID for my AOAI resource, use "Search Index Data Reader" as the role name, and the full resource path to my search resource (beginning with /subscriptions) as the value for scope. You can modify this command for each of the roles you want to apply for your resources. A comprehensive list of roles can be found in our docs here: https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#role-assignments
Aside from the role assignments being correct, there are just a few other things to check:
1) Is your app using the latest code in our repo? I just recently pushed a change to support system-assigned MI for the embedding dependency, so if your app was deployed prior to the merging of PR #1041 you may need to sync with the latest as a part of the mitigation.
2) When using system assigned managed identity, you need to also be sure to delete the keys from your environment. I just deployed a webapp from the Azure OpenAI Studio and did not see keys added to the environment as of today, but you should double check your App Service environment variables to be sure none of the keys are there. If they are set, you can just delete them and restart the app. The relevant environment variables are AZURE_OPENAI_KEY
, AZURE_SEARCH_KEY
, and AZURE_OPENAI_EMBEDDING_KEY
.
What @raju-celerinn has suggested would also work, if you are okay with continuing to use keys. However, for system-assigned MI the most important thing is to be sure that role assignments are correct on resources, you're using the latest code, and the environment does not contain any keys.
Let me know if this helps.
The engineering team is currently working on this and will roll out a fix in about 2 weeks' time.
For the time being, there is a workaround for this, if anyone is referencing this issue.
I. RBAC access control If your Azure AI Search resource is using Role Based Access Control, you have to allow each service identity-based access to each other. The steps I followed are: 1) Verify that the API access control configuration of the Azure AI Search is RBAC or both. 2) Enable the MI (Managed Identity) for Azure OpenAI and AI Search resources and grant the required RBAC permission following the chart in this documentation. https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#role-assignments. Note: The Web App should have automatically been assigned an MI already so there is no need to enable this manually. After which, assign the required RBAC permission for the web app's MI on the Azure OpenAI resource following the above table.
II. API keys access control Alternatively, if your AI Search resource's access control is configured to API keys only, it is required to manually configure the web app environment variable AZURE_SEARCH_KEY as this will be assigned no value by default. If this variable is empty, the authentication to AI search appears to revert to Role-based access by default. Please also ensure that the AZURE_OPENAI_KEY environment variable is populated.
Hope this helps.
I was able to add the roles through azure portal and got it working. Just a note to add, some of the permissions did not have the option at resource level but subscription/ resource group level. Hopefully Microsoft fixes this soon. Thanks for the help.
Thanks @iamramengirl. It works!!!
@iamramengirl , you mentioned that someone was working on a fix. Is this still in progress?
For the ones who could not apply the workaround, as its bit difficult to understand in first place. Had to seek help from GPT to apply it step by step.
--- Inside Azure Search > Visit Keys > API Access control > Select RBAC or both
Search Index Data Reader
Azure OpenAI
Azure AI Search
Description: This role assignment allows the Azure OpenAI service to query data from the index in Azure AI Search. This is necessary when the inference service (powered by OpenAI) needs to fetch data from the search index.
Steps to Assign:
Search Index Data Reader
role.Azure OpenAI
as the assignee.Search Service Contributor
Azure OpenAI
Azure AI Search
Description: This role allows Azure OpenAI to query the index schema, create indexes, data sources, skill sets, indexers, and query the status of the indexer in Azure AI Search.
Steps to Assign:
Search Service Contributor
role.Azure OpenAI
as the assignee.Storage Blob Data Contributor
Azure OpenAI
Storage Account
Description: This role grants Azure OpenAI the ability to read from the input container and write preprocessed results to the output container in the Storage Account.
Steps to Assign:
Storage Blob Data Contributor
role.Azure OpenAI
as the assignee.Cognitive Services OpenAI Contributor
Azure AI Search
Azure OpenAI
Description: This role allows the Azure AI Search service to act as a custom skill using the Azure OpenAI service.
Steps to Assign:
Cognitive Services OpenAI Contributor
role.Azure AI Search
as the assignee.Storage Blob Data Reader
Azure AI Search
Storage Account
Description: This role assignment allows Azure AI Search to read document blobs and chunk blobs from the Storage Account, which is necessary for indexing documents.
Steps to Assign:
Storage Blob Data Reader
role.Azure AI Search
as the assignee.Cognitive Services OpenAI User
Web app
Azure OpenAI
Description: This role allows the web application to use the Azure OpenAI service for inference, meaning the web app can send requests to the OpenAI service to generate responses.
Steps to Assign:
Cognitive Services OpenAI User
role.Web app
as the assignee.Each step involves navigating to the relevant Azure resource, accessing the "Access control (IAM)" section, and adding the appropriate role for the managed identity of another service that needs to interact with it. This setup ensures that each service can perform its necessary functions, such as reading data, querying schemas, creating resources, and invoking custom skills, while maintaining security through Azure's RBAC system.
@Number9Solutions Per the last communication with Engineering team, it should be fixed by this time. However, I have not tested yet.
@imsantoshg I'm sorry the workaround steps were not easy to understand. I believe this documentation link summarizes the required RBAC for each service. https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#role-assignments.
issue is still not fixed :(
I redeployed the app, and it is working for me on an existing web app.
I then tried it on a new webapp and got the same error (exactly the same settings as the working one)
On Sun, 01 Sep 2024 at 17:06, jppech @.***> wrote:
Capture.d.ecran.2024-09-01.170504.png (view on web) https://github.com/user-attachments/assets/e6a51f6a-60c3-4442-9a96-2062b0a3379c issue is still not fixed :(
— Reply to this email directly, view it on GitHub https://github.com/microsoft/sample-app-aoai-chatGPT/issues/1024#issuecomment-2323384035, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZWXOO6UKZ24EUYRLG77O3ZUMUORAVCNFSM6AAAAABLP4LZLOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRTGM4DIMBTGU . You are receiving this because you commented.Message ID: @.***>
Hi @harshbangad , I just want to confirm a few details with you about your app configuration to see if we can determine a workaround on the webapp side while we are working out issues on the studio deployment side.
- Is the Azure Search index you're using a vector index?
- Can you confirm that you are attempting to use system-assigned managed identity for authentication between resources?
- Could you tell me which of the following variables are set in your environment? I don't need specific values, just whether or not they are set:
AZURE_OPENAI_EMBEDDING_ENDPOINT
,AZURE_OPENAI_EMBEDDING_KEY
,AZURE_OPENAI_EMBEDDING_NAME
,AZURE_OPENAI_KEY
,AZURE_SEARCH_KEY
- If attempting to use MI, can you confirm the following RBAC settings on each resource?
Role Assignee Resource
Search Index Data Reader
Azure OpenAI (Inference) Azure AI SearchSearch Service Contributor
Azure OpenAI (Inference) Azure AI SearchCognitive Services OpenAI User
Web app Azure OpenAI (Inference)
This solved it for me. The created web app deployment did not include some of these environment variables so I had to fill them manually.
In my case, I kept the api keys authentication. I had to fill AZURE_SEARCH_KEY
using the key that appears on the Azure Search resource > Settings > Keys and AZURE_OPENAI_EMBEDDING_NAME
with the name of the deployed embedding model, in my case text-embedding-ada-002
.
Hope this helps for future reference.
I run into the same error. Filled the missing environment variables. But the error persists.
Is there any update on this issue?
Thanks @joacosnchz - Going to environment variables fixed it for me. So, this bug is still not fixed by Microsoft [deployment through azure ai studio is still broken] So the process works fine for indexes which i have set up to re-index daily and update the webapp. But anytime for a new deployment or updating existing ones- it passes the keys as blank for search and open ai embedding name.
Also, is there a way to modify the indexes/ job to pick only new documents while re-indexing? Every time even if i remove older documents from source and add new ones- the app response suggests answers from both new and old documents in reference[ old should ideally not be there as its removed from the source]- How to modify this from azure ai studio/ index job?
Describe the bug Hi,
I hope this is the right place to ask this question. I'm experiencing a repeatable issue when deploying a web app using the button in AI Studio. Since yesterday, every time I deploy the web app and send any text, I receive the same error message:
I've tested in several tenants. Deployed resources both with Bicep scripts and manually. The issue reproduces every time.
To Reproduce Steps to reproduce the behavior:
Chat
section in the AI Project (assume that gpt-4 model was deployed in advance).Deploy to a web app
.Create a new web app
orUpdate an existing web app
) and enable chat history.Deploy
.Expected behavior The web app should reply something like "Hi" without any errors.
Screenshots
Configuration: Please provide the following
The index was created in Azure AI Search using Azure Blob Storage as data source
Output:
Logs
If the application deployment is failing, please share the deployment logs using the following az CLI command:
N/A
If the application is crashing after deployment, please share the application logs using the following az CLI command:
Output: