azure-search-openai-demo
azure-search-openai-demo copied to clipboard
Azure-Samples
Principal does not have access to API/Operation
Please provide us with the following information:
This issue is for a: (mark with an x)
- [X] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
Another person has created the site. My task is to just upload content and to rebuild index. azd auth login Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser .../scripts/prepdocs.ps1 I get same result even if I set AZURE_PRINCIPAL_ID="Object id of MY user account" I get same result even if I set AZURE_PRINCIPAL_ID="Object id of the environment creator user account"
Any log messages given by the failure
Search index gptkbindex already exists Processing files... Processing 'C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo/data\5616-05en.pdf' Uploading blob for page 0 -> 5616-05en-0.pdf Extracting text from 'C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo/data\5616-05en.pdf' using Azure Form Recognizer Traceback (most recent call last): File "C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo\scripts\prepdocs.py", line 313, in
page_map = get_document_text(filename) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo\scripts\prepdocs.py", line 129, in get_document_text poller = form_recognizer_client.begin_analyze_document("prebuilt-layout", document = f) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo\scripts.venv\Lib\site-packages\azure\core\tracing\decorator.py", line 76, in wrapper_use_tracer return func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo\scripts.venv\Lib\site-packages\azure\ai\formrecognizer_document_analysis_client.py", line 126, in begin_analyze_document return self._client.begin_analyze_document( # type: ignore ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo\scripts.venv\Lib\site-packages\azure\ai\formrecognizer_generated_operations_mixin.py", line 170, in begin_analyze_document return mixin_instance.begin_analyze_document(model_id, pages, locale, string_index_type, analyze_request, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo\scripts.venv\Lib\site-packages\azure\core\tracing\decorator.py", line 76, in wrapper_use_tracer return func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo\scripts.venv\Lib\site-packages\azure\ai\formrecognizer_generated\v2022_08_31\operations_form_recognizer_client_operations.py", line 576, in begin_analyze_document raw_result = self._analyze_document_initial( # type: ignore ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo\scripts.venv\Lib\site-packages\azure\ai\formrecognizer_generated\v2022_08_31\operations_form_recognizer_client_operations.py", line 507, in _analyze_document_initial map_error(status_code=response.status_code, response=response, error_map=error_map) File "C:\Users\timo.riikonen\Documents\Git\azure-search-openai-demo\scripts.venv\Lib\site-packages\azure\core\exceptions.py", line 109, in map_error raise error azure.core.exceptions.ClientAuthenticationError: (PermissionDenied) Principal does not have access to API/Operation. Code: PermissionDenied Message: Principal does not have access to API/Operation.
Expected/desired behavior
Text extraction succeeds
OS and Version?
Windows 11
azd version?
1.0.1
Versions
2023-06-08
Mention any other details that might be useful
Thanks! We'll be in touch soon.
My permissions:
I have executed roles.sh for my account and service principle/object id. azure_credential.get_token succeeds. az account show gives correct results.
Failing command is openai.Completion.create: Exception has occurred: AuthenticationError Principal does not have access to API/Operation. File "/workspaces/azure-search-openai-demo/app/backend/approaches/chatreadretrieveread.py", line 59, in run completion = openai.Completion.create( File "/workspaces/azure-search-openai-demo/app/backend/app.py", line 106, in chat r = impl.run(request.json["history"], request.json.get("overrides") or {}) openai.error.AuthenticationError: Principal does not have access to API/Operation.
After running roles.sh and setting the principal id I don't get this error any more.
After running roles.sh and setting the principal id I don't get this error any more.
Where you do get the principal id?
It is user's object I'd
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Zahava Rosenbaum @.> Sent: Friday, June 23, 2023 12:33:13 AM To: Azure-Samples/azure-search-openai-demo @.> Cc: Timo Riikonen @.>; Comment @.> Subject: Re: [Azure-Samples/azure-search-openai-demo] Principal does not have access to API/Operation (Issue #290)
After running roles.sh and setting the principal id I don't get this error any more.
Where you do get the principal id?
— Reply to this email directly, view it on GitHubhttps://github.com/Azure-Samples/azure-search-openai-demo/issues/290#issuecomment-1603344329, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BARCGRE26HNWB6OOL4M4I73XMS2ZTANCNFSM6AAAAAAY7DKG4Q. You are receiving this because you commented.Message ID: @.***>
If anyone else is experiencing this issue, please check the "identity" tab of your deployed app, and make sure it shows the correct role assignments for OpenAI.
Here's what it looks like for a functioning app:
Closing this issue as I don't believe there's an issue with the repo.
If anyone is coming to this Github Issue, but is receiving the same error for the built-in Azure OpenAI "Playground" app, do the same as @pamelafox suggests, but instead of assigning the WebApp name, assign the individual users/groups.
I had to assign an AAD Group to the Cognitive Services OpenAI User Role in the Azure OpenAI resource itself.
This is because the Playground does not have an assignable Service Principal. It seems like it passes the logged in User Principal instead.
how do i do this?
I had to assign an AAD Group to the Cognitive Services OpenAI User Role in the Azure OpenAI resource itself.
plus, i am owner, is this not enough? besides, it says PRINCIPAL user which is not the logged-in user, right?
I have "checked" the role assignments but i have no idea what it should be set to, looks pretty much the same as in @pamelafox screenshot.
I had to assign an AAD Group to the
Cognitive Services OpenAI UserRole in the Azure OpenAI resource itself.
I tried this but it didn't work for me. I had to assign the role Cognitive Services OpenAI Contributor rather than User.
