Use Azure OpenAI without keys
Application requests to most Azure services must be authenticated with keys or passwordless connections. Developers must be diligent to never expose the keys in an unsecure location. Anyone who gains access to the key is able to authenticate to the service. Keyless authentication offers improved management and security benefits over the account key because there's no key (or connection string) to store.
Keyless connections are enabled with the following steps:
- Configure your authentication.
- Set environment variables, as needed.
- Use an Azure Identity library credential type to create an Azure OpenAI client object.
Authentication
Authentication to Microsoft Entra ID is required to use the Azure client libraries.
Authentication differs based on the environment in which the app is running:
Azure OpenAI Keyless Building Block
Use the following link to explore the Azure OpenAI Keyless Building Block AI template. This template provisions an Azure OpenAI account with your user account RBAC role permission for keyless (Microsoft Entra) authentication to access the OpenAI API SDKs.
Note
This article uses one or more AI app templates as the basis for the examples and guidance in the article. AI app templates provide you with well-maintained, easy to deploy reference implementations that help to ensure a high-quality starting point for your AI apps.
Authenticate for local development
Select a tool for authentication during local development.
Authenticate for Azure-hosted environments
Learn about how to manage the DefaultAzureCredential for applications deployed to Azure.
Configure roles for authorization
Find the role for your usage of Azure OpenAI. Depending on how you intend to set that role, you need either the name or ID.
Role name Role ID For Azure CLI or Azure PowerShell, you can use role name. For Bicep, you need the role ID. Use the following table to select a role and ID.
Use case Role name Role ID Assistants Cognitive Services OpenAI Contributor
a001fd3d-188f-4b5d-821b-7da978bf7442
Chat completions Cognitive Services OpenAI User
5e0bd9bd-7b93-4f28-af87-19fc36ad61bd
Select an identity type to use.
- Personal identity: This is your personal identity tied to your sign in to Azure.
- Managed identity: This is an identity managed by and created for use on Azure. For managed identity, create a user-assigned managed identity. When you create the managed identity, you need the
Client ID
, also known as theapp ID
.
To find your personal identity, use one of the following commands. Use the ID as the
<identity-id>
in the next step.For local development, to get your own identity ID, use the following command. You need to sign in with
az login
before using this command.az ad signed-in-user show \ --query id -o tsv
Assign the role-based access control (RBAC) role to the identity for the resource group.
To grant your identity permissions to your resource through RBAC, assign a role using the Azure CLI command az role assignment create.
az role assignment create \ --role "Cognitive Services OpenAI User" \ --assignee "<identity-id>" \ --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>"
Where applicable, replace
<identity-id>
,<subscription-id>
, and<resource-group-name>
with your actual values.
Configure environment variables
To connect to Azure OpenAI, your code needs to know your resource endpoint, and may need other environment variables.
Create an environment variable for your Azure OpenAI endpoint.
AZURE_OPENAI_ENDPOINT
: This URL is the access point for your Azure OpenAI resource.
Create environment variables based on the location in which your app runs:
Location Identity Description Local Personal For local runtimes with your personal identity, sign in to create your credential with a tool. Azure cloud User-assigned managed identity Create an AZURE_CLIENT_ID
environment variable containing the client ID of the user-assigned managed identity to authenticate as.
Install Azure Identity client library
Use the following link to install the Azure Identity client library.
Install the .NET Azure Identity client library:
dotnet add package Azure.Identity
Use DefaultAzureCredential
The Azure Identity library's DefaultAzureCredential
allows the customer to run the same code in the local development environment and in the Azure Cloud.
For more information on DefaultAzureCredential
for .NET, see Azure Identity client library for .NET.
using Azure;
using Azure.AI.OpenAI;
using Azure.Identity;
using System;
using static System.Environment;
string endpoint = GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT");
OpenAIClient client = new(new Uri(endpoint), new DefaultAzureCredential());