Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for managed identity #190

Open
JayDoubleu opened this issue Aug 22, 2023 · 3 comments
Open

Add support for managed identity #190

JayDoubleu opened this issue Aug 22, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@JayDoubleu
Copy link

It would be great to allow access via managed identity instead of API keys in environment variables which is considered a bad security practice

@sarah-widder sarah-widder added the enhancement New feature or request label Aug 30, 2023
@SPSCS-Simon
Copy link

This would be invaluable for my client that is very security conscious! Zero Trust right.... alongside private networking as it becomes available.

The intent is that either using user_impersonation at the App Registration/API Permission level, such that the Web App impersonates the user, or just the Managed Identity of the WebApp, that this passes through to the Open AI, Search & Cosmon DB as applicable, and all the way through to the storage account so specific Open AI Deployments can be End-to-End permission isolated.

@JayDoubleu
Copy link
Author

This should be incredibly easy to implement btw as there is already other apps using MSI method when there is no API key specified:

https://github.com/Azure-Samples/chatgpt-quickstart/blob/7a95c20c979f83aaf122978732204f96b4564198/src/quartapp/chat.py#L12

@bp.before_app_serving
async def configure_openai():
    openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT")
    openai.api_version = "2023-03-15-preview"
    if os.getenv("AZURE_OPENAI_KEY"):
        openai.api_type = "azure"
        openai.api_key = os.getenv("AZURE_OPENAI_KEY")
    else:
        openai.api_type = "azure_ad"
        if client_id := os.getenv("AZURE_OPENAI_CLIENT_ID"):
            default_credential = azure.identity.aio.ManagedIdentityCredential(client_id=client_id)
        else:
            default_credential = azure.identity.aio.DefaultAzureCredential(exclude_shared_token_cache_credential=True)
        token = await default_credential.get_token("https://cognitiveservices.azure.com/.default")
        openai.api_key = token.token

@DOliana
Copy link
Contributor

DOliana commented Jun 7, 2024

I think MSI authentication for app -> openAI is in place (see code. I couldn't find anything similar for access of AI Search though in the code.
It's not regarded in the startup though, where the key environment variables are mandatory (at least for search + openai as I could see). I am not that strong in python (structure etc) but if anyone can point me in the right directions, I am happy to collaborate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants