Use Azure OpenAI without keys

Application requests to most Azure services must be authenticated with keys or passwordless connections. Developers must be diligent to never expose the keys in an unsecure location. Anyone who gains access to the key is able to authenticate to the service. Keyless authentication offers improved management and security benefits over the account key because there's no key (or connection string) to store.

Keyless connections are enabled with the following steps:

  • Configure your authentication.
  • Set environment variables, as needed.
  • Use an Azure Identity library credential type to create an Azure OpenAI client object.

Authentication

Authentication to Microsoft Entra ID is required to use the Azure client libraries.

Authentication differs based on the environment in which the app is running:

Authenticate for local development

Authenticate for Azure-hosted environments

Learn about how to manage the DefaultAzureCredential for applications deployed to Azure.

Configure roles for authorization

  1. Find the role for your usage of Azure OpenAI. Depending on how you intend to set that role, you'll need either the name or ID.

    Role name Role ID
    For Azure CLI or Azure PowerShell, you can use role name. For Bicep, you need the role ID.
  2. Use the following table to select a role and ID.

    Use case Role name Role ID
    Assistants Cognitive Services OpenAI Contributor a001fd3d-188f-4b5d-821b-7da978bf7442
    Chat completions Cognitive Services OpenAI User 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd
  3. Select an identity type to use.

    • Personal identity: This is your personal identity tied to your sign in to Azure.
    • Managed identity: This is an identity managed by and created for use on Azure. For managed identity, create a user-assigned managed identity. When you create the managed identity, you need the Client ID, also known as the app ID.
  4. To find your personal identity, use one of the following commands. Use the ID as the <identity-id> in the next step.

    For local development, to get your own identity ID, use the following command. You need to sign in with az login before using this command.

    az ad signed-in-user show \
        --query id -o tsv
    
  5. Assign the role-based access control (RBAC) role to the identity for the resource group.

    To grant your identity permissions to your resource through RBAC, assign a role using the Azure CLI command az role assignment create.

    az role assignment create \
        --role "Cognitive Services OpenAI User" \
        --assignee "<identity-id>" \
        --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>"
    

    Where applicable, replace <identity-id>, <subscription-id>, and <resource-group-name> with your actual values.

Configure environment variables

To connect to Azure OpenAI, your code needs to know your resource endpoint, and may need additional environment variables.

  1. Create an environment variable for your Azure OpenAI endpoint.

    • AZURE_OPENAI_ENDPOINT: This URL is the access point for your Azure OpenAI resource.
  2. Create environment variables based on the location in which your app runs:

    Location Identity Description
    Local Personal For local runtimes with your personal identity, sign in to create your credential with a tool.
    Azure cloud User-assigned managed identity Create an AZURE_CLIENT_ID environment variable containing the client ID of the user-assigned managed identity to authenticate as.

Install Azure Identity client library

Use the following link to install the Azure Identity client library.

Install the .NET Azure Identity client library:

dotnet add package Azure.Identity

Use DefaultAzureCredential

The Azure Identity library's DefaultAzureCredential allows the customer to run the same code in the local development environment and in the Azure Cloud.

For more information on DefaultAzureCredential for .NET, see Azure Identity client library for .NET.

using Azure;
using Azure.AI.OpenAI;
using Azure.Identity;
using System;
using static System.Environment;

string endpoint = GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT");

OpenAIClient client = new(new Uri(endpoint), new DefaultAzureCredential());

Sample application

Use the following link to explore an end-to-end sample. This sample provisions an Azure OpenAI account with your user account RBAC role permission for keyless (Microsoft Entra) authentication to access the OpenAI API SDKs.

Resources