sample-app-aoai-chatGPT icon indicating copy to clipboard operation
sample-app-aoai-chatGPT copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Add support for managed identity

Open JayDoubleu opened this issue 1 year ago • 3 comments

It would be great to allow access via managed identity instead of API keys in environment variables which is considered a bad security practice

JayDoubleu avatar Aug 22 '23 10:08 JayDoubleu

This would be invaluable for my client that is very security conscious! Zero Trust right.... alongside private networking as it becomes available.

The intent is that either using user_impersonation at the App Registration/API Permission level, such that the Web App impersonates the user, or just the Managed Identity of the WebApp, that this passes through to the Open AI, Search & Cosmon DB as applicable, and all the way through to the storage account so specific Open AI Deployments can be End-to-End permission isolated.

SPSCS-Simon avatar Oct 26 '23 22:10 SPSCS-Simon

This should be incredibly easy to implement btw as there is already other apps using MSI method when there is no API key specified:

https://github.com/Azure-Samples/chatgpt-quickstart/blob/7a95c20c979f83aaf122978732204f96b4564198/src/quartapp/chat.py#L12

@bp.before_app_serving
async def configure_openai():
    openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT")
    openai.api_version = "2023-03-15-preview"
    if os.getenv("AZURE_OPENAI_KEY"):
        openai.api_type = "azure"
        openai.api_key = os.getenv("AZURE_OPENAI_KEY")
    else:
        openai.api_type = "azure_ad"
        if client_id := os.getenv("AZURE_OPENAI_CLIENT_ID"):
            default_credential = azure.identity.aio.ManagedIdentityCredential(client_id=client_id)
        else:
            default_credential = azure.identity.aio.DefaultAzureCredential(exclude_shared_token_cache_credential=True)
        token = await default_credential.get_token("https://cognitiveservices.azure.com/.default")
        openai.api_key = token.token

JayDoubleu avatar Oct 27 '23 15:10 JayDoubleu

I think MSI authentication for app -> openAI is in place (see code. I couldn't find anything similar for access of AI Search though in the code. It's not regarded in the startup though, where the key environment variables are mandatory (at least for search + openai as I could see). I am not that strong in python (structure etc) but if anyone can point me in the right directions, I am happy to collaborate.

DOliana avatar Jun 07 '24 13:06 DOliana