azure-search-openai-demo
azure-search-openai-demo copied to clipboard
Azure-Samples
Make it possible to deploy for accounts without owner level access
Please provide us with the following information:
This issue is for a: (mark with an x)
- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
azp up (as an employee, i.e. Microsoft)
Any log messages given by the failure
ERROR: deployment failed: error deploying infrastructure: failed deploying: starting deployment to subscription: PUT https://management.azure.com/subscriptions/12341234-1234-1234-1234-123412341234/providers/Microsoft.Resources/deployments/myNewOrExistingResource
RESPONSE 403: 403 Forbidden ERROR CODE: AuthorizationFailed
{ "error": { "code": "AuthorizationFailed", "message": "The client '[email protected]' with object id '12341234-1234-1234-1234-123412341234' does not have authorization to perform action 'Microsoft.Resources/deployments/write' over scope '/subscriptions/12341234-1234-1234-1234-123412341234/providers/Microsoft.Resources/deployments/myNewOrExistingResource' or the scope is invalid. If access was recently granted, please refresh your credentials." } }
Expected/desired behavior
Ideally (if possible), there should be a path to set up preexisting resources in Azure Portal, such as an Azure OpenAI resource, deploying specific models, etc, all which require less creds than requiring a SAW machine to get write access.
(I already have all of these resources, the OpenAI service, two models, blob storage, search service). I changed the app.py to have those values. Not sure how to run/access it all.
OS and Version?
Windows 11
Versions
Mention any other details that might be useful
Thanks! We'll be in touch soon.
I agree, if the above corporate/enterprise scenario with limited rights are addressed in the reference architecture, we can get our poc’s done lot quicker when we do not have these openai instances available under our msdn subscriptions or personal ones.
I've made progress going at it manually, inserting service names and keys where referenced. However, I'm stuck on this one error in preparing the (sample) docs:
Ensuring search index edgegrowthopenaisearchindex exists
Traceback (most recent call last):
File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 208, in
I've done az login. I'm even hardcoded urls in case the environment wasn't reading. I've switched the key from the query key (search service) to the admin key. They do different things, but I'm pretty sure it's the query key being needed. (admin key produces Unsupported credential).
I'd appreciate any hints on what key this supposed to be, or what might cause this. I feel I'm close to getting around the prevented corp deployment. (running locally).
myNewOrExistingResource
Hi Jim, I also meet this issue. did you fix your issue , any suggestion for me . thanks
@JimGaleForce , are you using your own subscription where your user is actually the owner ?
There's an issue in this scenario where the expected access-roles are not created and the prepdocs.py script is not able to get the index key or push files to storage.
One way to workaround this is to create another User within your Azure Active Directory with the role User Acess Administrator. Then login to azd within this user and tun azd up.
Let me know if that works for you
I've made progress going at it manually, inserting service names and keys where referenced. However, I'm stuck on this one error in preparing the (sample) docs: Ensuring search index edgegrowthopenaisearchindex exists Traceback (most recent call last): File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 208, in create_search_index() File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 146, in create_search_index if args.index not in index_client.list_index_names(): File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 132, in next return next(self._page_iterator) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 76, in next self._response = self._get_next(self.continuation_token) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\search\documents\indexes_generated\operations_indexes_operations.py", line 520, in get_next raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Authorization failed.
I've done az login. I'm even hardcoded urls in case the environment wasn't reading. I've switched the key from the query key (search service) to the admin key. They do different things, but I'm pretty sure it's the query key being needed. (admin key produces Unsupported credential).
I'd appreciate any hints on what key this supposed to be, or what might cause this. I feel I'm close to getting around the prevented corp deployment. (running locally).
@JimGaleForce - DM’d you. Would you mind sharing how you deployed it manually?
@chulahlou I had the same issue. I was logging into Azure with an account that had subscription-level role assignment of Owner. The workaround was to create and use a separate account with subscription-level role assignments of Owner and User Access Administrator. I was then able to deploy as normal.
@timmyfrazer - thanks. The issue is the enterprise users don't have permission to elevate roles. They only have Contributor role assignments. They can create resources within an existing resource group so I'm looking for ways to stand up the application manually
@timmyfrazer I can confirm creating a separate account with Owner and User Access Administrator assignments allow the deployment to complete. Thank you!
I fixed it by changing the main.bicep to target an existing resource group.
I fixed it by changing the main.bicep to target an existing resource group.
Thanks @wtyeung . That also failed as they don't have permission to assign roles. In your case, do you have Owner level permission to run the bicep script?
Owner role in the existing resourceGroup is required. you can comment out the whole roles section and wire up manually using keys.
Hey, @chulahlou, have you had any success deploying this on an account with the Contributor role?
@nkong6789 , the action "Microsoft.Resources/deployments/write" is required. This action is part of the Owner role.
You can also create a custom-role which includes this action and assign the custom-role to the user before deployment. After deployment you can remove the custom-role.
I got this approach from @gbecerra1982
I fixed it by changing the main.bicep to target an existing resource group.
I get "A resource with the same name cannot be created in location 'eastus'. Please select a new resource name." I thought it would use existing resources which have been set using azd env set command
Also agreed to this point with extra security care on exposed storage accounts and cognitive services. PR to added some level of validations via github or ADO pipelines: https://github.com/Azure-Samples/azure-search-openai-demo/pull/329
+1 this
I am the owner of the resource group, but I'm still getting the above error.
Maybe with inspiration from https://github.com/Azure-Samples/openai-python-enterprise-logging
So some detailed steps in the documentation on adding the special role for a user with only contributor access to the subscription would be good.. This is a great example but a lot of what it does is opaque many of us.
Can someone explain why we even need role assignments for this repo? I mean, you can typically deploy resources just fine w/o it
@Timmate You can see the roles in the bottom of infra/main.bicep:
https://github.com/Azure-Samples/azure-search-openai-demo/blob/f76673c44c63a99cc28e635663893638de3511b0/infra/main.bicep#L254
There are both user roles assigned and system roles. The user roles are primarily needed so that prepdocs.py can run locally (to process docs, compute embeddings, and upload to search index). The system roles allow the web app itself to use the OpenAI and Cognitive Search APIs, via DefaultAzureCredential and managed identity.
so, in short, we cannot deploy this app with only "Contributor" role, right?
Hi all-
We've clarified on the README that at the minimum, you need the RBAC role, or the RBAC role scoped to an existing resource group: https://github.com/Azure-Samples/azure-search-openai-demo#azure-account-requirements
We're interested to hear if your employers are able to give you that level of access (especially resource group scoped) or if that is still high of a level of access.
I also documented in another issue how to manually assign the roles in the Portal, but I assume that will only work if you have RBAC access for that RG:
https://github.com/Azure-Samples/azure-search-openai-demo/issues/634#issuecomment-1721699823
If you cannot be granted RBAC at the resource group level, then I think the only other approach is to use keys instead of managed identity. That should be possible with changes to the credentials in app.py. We generally discourage keys when possible, however, so we haven't yet enabled that in the repo.
We've clarified on the README that at the minimum, you need the RBAC role, or the RBAC role scoped to an existing resource group: https://github.com/Azure-Samples/azure-search-openai-demo#azure-account-requirements
We're interested to hear if your employers are able to give you that level of access (especially resource group scoped) or if that is still high of a level of access.
I've granted one of our developers the owner role for a resource group, and the Role Based Access Control Adminstrator (Preview) role at the resource group level. He still gets an error. Some have mentioned 'User Access Administrator. I've granted him that role at the resource group and will report back the results.
@bosco777 Can you clarify which error they get? Just want to make sure the error they're getting is the role error. We're trying to replicate here. Thanks!
After deploying a tiny bicep file and looking at the full scope string, it appears their problem is more about the deployment not being scoped to the resource group. They are using "azd env set azure_resource_group ResourceGroupName", but the access denied PUT Deployment is just /subscription/subscriptionid/providers/microsoft.resources/deployments/deploymentname, rather than sub/subid/resourcegroups/rgname/providers/....
Aha, you're right. Victor mentioned that above:
https://github.com/Azure-Samples/azure-search-openai-demo/issues/4#issuecomment-1546070856
I will clarify in the README that there must also be a role that allows "Microsoft.Resources/deployments/write" on the subscription level, at least temporarily.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this issue will be closed.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I've made progress going at it manually, inserting service names and keys where referenced. However, I'm stuck on this one error in preparing the (sample) docs: Ensuring search index edgegrowthopenaisearchindex exists Traceback (most recent call last): File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 208, in create_search_index() File "C:\CODE\git\azure-search-openai-demo\scripts\prepdocs.py", line 146, in create_search_index if args.index not in index_client.list_index_names(): File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 132, in next return next(self._page_iterator) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\core\paging.py", line 76, in next self._response = self._get_next(self.continuation_token) File "C:\Users\jimgale\AppData\Roaming\Python\Python39\site-packages\azure\search\documents\indexes_generated\operations_indexes_operations.py", line 520, in get_next raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Authorization failed.
I've done az login. I'm even hardcoded urls in case the environment wasn't reading. I've switched the key from the query key (search service) to the admin key. They do different things, but I'm pretty sure it's the query key being needed. (admin key produces Unsupported credential).
I'd appreciate any hints on what key this supposed to be, or what might cause this. I feel I'm close to getting around the prevented corp deployment. (running locally).
By getting access to Search Service Contributor Role it can be resolved.
