Unable to access AzureOpenAI

Kannanc 0

I have a AzureOpenAI Chat playground setup with a deployment of gpt-4o model. I am trying to access it to integrate with our application, but unable to access it. I have a Cognitive Services OpenAI contributor role assigned for OpenAI Service access, and contributor role to the resource group. But I am receiving the following error while attempt to access:

openai.AuthenticationError: Error code: 401 - {'error': {'code': 'PermissionDenied', 'message': 'Principal does not have access to API/Operation.'}}

What might be wrong?

Saideep Anchuri 705 Reputation points Microsoft Vendor

2024-12-24T14:06:03.4366667+00:00

Hi Kannanc

Welcome to Microsoft Q&A Forum, thank you for posting your query here!

I understand that you are encountering an issue, it seems that there may be an issue with the authentication process when attempting to access the Azure OpenAI service. Even the Cognitive Services OpenAI Contributor role has been assigned, ensure that the user or service principal you're using for authentication has the required permissions that is making the API calls. You can check this in the Azure portal under the "Access control (IAM)" section of your Azure OpenAI resource.

Kindly refer the below documentation: https://learn.microsoft.com/en-us/azure/ai-studio/concepts/rbac-ai-studio#troubleshooting

Thank You.
Kannanc 0 Reputation points

2024-12-24T14:56:01.59+00:00

Sorry, this answer is not helpful.
Saideep Anchuri 705 Reputation points Microsoft Vendor

2024-12-24T15:57:04.4766667+00:00
Hi Kannanc

Sorry for the inconvenience. Ideally in a public resource, A cognitive service OpenAI contributor on user and any target resources (e.g. A custom webapp) can enable inference on the endpoint but if it is secured against virtual network then user and resource also have minimal virtual network permission to interact over virtual network.

Virtual network minimal roles for user and webapp.

"Microsoft.Network/*/read" on the virtual network resource. This permission isn't needed for Azure Resource Manager (ARM) template deployments.

"Microsoft.Network/virtualNetworks/join/action" on the virtual network resource.

"Microsoft.Network/virtualNetworks/subnets/join/action" on the subnet resource.

Could you confirm whether it is public or private resource one.

Thank You.
Saideep Anchuri 705 Reputation points Microsoft Vendor

2024-12-26T03:31:59.4933333+00:00

Hi Kannanc

Following up to see if the above answer was helpful

Thank You.
Kannanc 0 Reputation points

2024-12-26T10:33:51.1233333+00:00

It's a public resource
Saideep Anchuri 705 Reputation points Microsoft Vendor

2024-12-26T10:57:52.8233333+00:00
Hi Kannanc

Earlier, Inference with Entra default credential as mentioned below was not supported either in cognitive services OpenAI contributor or cognitive services contributor.

FYI: They seem to have enable Entra inference on 26th Dec 2024 today.

import os from openai import AzureOpenAI from azure.identity import DefaultAzureCredential, get_bearer_token_provider token_provider = get_bearer_token_provider( DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default" ) client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), azure_ad_token_provider=token_provider, api_version="2024-10-21" )

You can opt for API key-based authentication instead of Entra authentication are not working in webapp. You can create environment variable to use os.getenv steps.

import os from openai import AzureOpenAI client = AzureOpenAI( api_key=os.getenv("AZURE_OPENAI_API_KEY"), api_version="2024-10-21", azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT") )

Please add Cognitive Services OpenAI contributor on the webapp also to see the difference

Thank You.
Saideep Anchuri 705 Reputation points Microsoft Vendor

2024-12-27T07:25:01.96+00:00

Hi Kannanc

We haven’t heard from you on the last response and was just checking back to see if the give response was helpful.

Thank You.
Kannanc 0 Reputation points

2024-12-27T09:20:33.8433333+00:00
The problem is not resolved yet. Key based access is explicitly blocked as per company policy, and with the above said roles assigned, I am trying to access using managed identity. So, my code looks like as below:

token_provider = get_bearer_token_provider( DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default" ) client = AzureOpenAI( azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"), azure_ad_token_provider=token_provider, api_version="2024-10-21" )

The network access has been granted to the subnet, where my VM is provisioned. But still I am unable to access with the following error. Still I am not able to find the root-cause

openai.AuthenticationError: Error code: 401 - {'error': {'code': 'PermissionDenied', 'message': 'Principal does not have access to API/Operation.'}}
Saideep Anchuri 705 Reputation points Microsoft Vendor

2024-12-30T03:13:35.03+00:00
Hi Kannanc

I recommend reporting this issue to the Azure support team. They will be able to investigate the issue further and provide a more targeted solution. You can report the issue by following these steps:

Go to the Azure portal and navigate to your OpenAI Service resource.

Click on the "Support + troubleshooting" tab.

Fill out the required information, including a detailed description of the issue and any steps you have taken to troubleshoot it.

Submit the support request.

The Azure support team will review your request and provide assistance as soon as possible.

Thank You.
Kannanc 0 Reputation points

2024-12-30T13:00:40.2433333+00:00

Sure, thank you!

Share via

Unable to access AzureOpenAI

Your answer