Share via

How to access the azure's openai embedding using service principal instead of api key.

Maharjan, Narayan 0 Reputation points
2025-04-29T18:11:16.8+00:00

Recently, I have been working on using Azure OpenAI text-embedding-3-small embedding model from the Azure Database as Stored proceducre. I am using it to generate embeddings on the fly for doing vector query and other purpose.

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE   PROCEDURE [dbo].[GetTextEmbedding] 
(
    @text NVARCHAR(MAX), 
    @model VARCHAR(50) = 'text-embedding-3-small', 
    @embedding VECTOR(1536) OUTPUT
)
AS
BEGIN
    DECLARE @url NVARCHAR(MAX) = 'https://<app-domain>.cognitiveservices.azure.com/openai/deployments/' + @model + '/embeddings?api-version=2023-05-15';
    DECLARE @payload NVARCHAR(MAX) = JSON_OBJECT('input': @text);
    DECLARE @response NVARCHAR(MAX);

    EXEC sp_invoke_external_rest_endpoint 
        @url = @url, 
        @method = 'POST', 
        @headers = '{"api-key":"<api-key>"}',
        @payload = @payload, 
        @response = @response OUTPUT;
    SET @embedding = CAST(JSON_QUERY(@response, '$.result.data[0].embedding') AS VECTOR(1536));
END;
GO

I was wondering if we could replace that <api-key> with service principal where I would like to authenticate without api key. I am not sure if it is possible, but could you please let me know if there are any other ways where I would not need to provide api key within this stored procedure.

Thanks in advance.

Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
3,396 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JAYA SHANKAR G S 2,350 Reputation points Microsoft External Staff
    2025-04-30T11:16:36.0466667+00:00

    Hello @Maharjan, Narayan ,

    Yes, you can make request using service principal authentication.

    Here, is the sample curl command to get token and make request with that.

      TENANT_ID="YOUR_TENANT_ID"  
  CLIENT_ID="YOUR_CLIENT_ID"  
  CLIENT_SECRET="YOUR_CLIENT_SECRET"  
  RESOURCE="https://cognitiveservices.azure.com/.default"  
    
  # Obtain an access token  
  ACCESS_TOKEN=$(curl -X POST "https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "client_id=$CLIENT_ID" \
    -d "scope=$RESOURCE" \
    -d "client_secret=$CLIENT_SECRET" \
    -d "grant_type=client_credentials" | jq -r .access_token)  
    
  # Use the access token in the API request  
  payload="{\"messages\":[{\"role\":\"system\",\"content\":[{\"type\":\"text\",\"text\":\"You are an AI assistant that helps people find information.\"}]}],\"temperature\":0.7,\"top_p\":0.95,\"max_tokens\":800}"  
  curl "https://jgsopenai1.openai.azure.com/openai/deployments/gpt-4o-mini/chat/completions?api-version=2025-01-01-preview" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $ACCESS_TOKEN" \
    -d "$payload"

    After getting token like Alban Berisha mentioned you need to add it in Authorization header field.

    If you observe here you need to make request to https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token but as per this documentation login.microsoftonline.com is not allowed so only options left are

    1. Getting token via curl or any other language and use it in sql.
    2. Using the Api-key.

    So, choose between any of the above option.

    If above solution helped you please do accept it and give feedback by clicking on yes.

    Thank you

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.