sample-app-aoai-chatGPT icon indicating copy to clipboard operation
sample-app-aoai-chatGPT copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Issues in "use your data securely"

Open wangyuantao opened this issue 1 year ago • 0 comments

In this document: https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely

It claims "If you plan to only secure part of your resources, you can skip the sections unrelated to your use case.". However, it is overclaimed. In fact, we have found in several cases if you miss some step, some seems-unrelated components are breaking.

Issue 1: Ingestion service undocumented logic

  1. Setup AzSearch skillsets using key auth if AOAI submit ingestion job is called using key auth.
  2. Setup AzSearch skillsets using managed identity if AOAI submit ingestion job is called without key (that means AAD auth).

As a result: without skillset managed identity, the AOAI trusted service won't work, then custom skill web api call will fail on AOAI network restriction, like below. image

Issue 2: AOAI Studio undocumented logic

The key is not sent (thus using AAD auth) if the following conditions met:

  1. AOAI has system assigned managed identity.
  2. AOAI system assigned managed identity has data reader role on search resource.
  3. AOAI system assigned managed identity has service contributor role to search resource.

As a result: if some role assignments are missing, the AOAI submit ingestion job is called using key auth, and then chaining with issue 1, the ingestion job will fail.

wangyuantao avatar Feb 01 '24 17:02 wangyuantao