Edit

Share via

Use Azure OpenAI without keys

  • Article

Application requests to most Azure services must be authenticated with keys or passwordless connections. Developers must be diligent to never expose the keys in an unsecure location. Anyone who gains access to the key is able to authenticate to the service. Keyless authentication offers improved management and security benefits over the account key because there's no key (or connection string) to store.

Keyless connections are enabled with the following steps:

  • Configure your authentication.
  • Set environment variables, as needed.
  • Use an Azure Identity library credential type to create an Azure OpenAI client object.

Authentication

Authentication to Microsoft Entra ID is required to use the Azure client libraries.

Authentication differs based on the environment in which the app is running:

Azure OpenAI Keyless Building Block

Use the following link to explore the Azure OpenAI Keyless Building Block AI template. This template provisions an Azure OpenAI account with your user account RBAC role permission for keyless (Microsoft Entra) authentication to access the OpenAI API SDKs.

Note

This article uses one or more AI app templates as the basis for the examples and guidance in the article. AI app templates provide you with well-maintained, easy to deploy reference implementations that help to ensure a high-quality starting point for your AI apps.

Authenticate for local development

Select a tool for authentication during local development.

Important

For access to your Azure resources during local development, you must sign-in to a local development tool using the Azure account you assigned the Azure AI Developer role to. For example, Visual Studio or the Azure CLI.

Authenticate for Azure-hosted environments

Learn about how to manage the DefaultAzureCredential for applications deployed to Azure.

Configure roles for authorization

  1. Find the role for your usage of Azure OpenAI. Depending on how you intend to set that role, you need either the name or ID.

    Role name Role ID
    For Azure CLI or Azure PowerShell, you can use role name. For Bicep, you need the role ID.

  2. Use the following table to select a role and ID.

    Use case Role name Role ID
    Assistants Cognitive Services OpenAI Contributor a001fd3d-188f-4b5d-821b-7da978bf7442
    Chat completions Cognitive Services OpenAI User 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd

  3. Select an identity type to use.

    • Personal identity: This is your personal identity tied to your sign in to Azure.
    • Managed identity: This is an identity managed by and created for use on Azure. For managed identity, create a user-assigned managed identity. When you create the managed identity, you need the Client ID, also known as the app ID.

  4. To find your personal identity, use one of the following commands. Use the ID as the <identity-id> in the next step.

    For local development, to get your own identity ID, use the following command. You need to sign in with az login before using this command.

    az ad signed-in-user show \
    --query id -o tsv

  5. Assign the role-based access control (RBAC) role to the identity for the resource group.

    To grant your identity permissions to your resource through RBAC, assign a role using the Azure CLI command az role assignment create.

    az role assignment create \
    --role "Cognitive Services OpenAI User" \
    --assignee "<identity-id>" \
    --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>"

    Where applicable, replace <identity-id>, <subscription-id>, and <resource-group-name> with your actual values.

Configure environment variables

To connect to Azure OpenAI, your code needs to know your resource endpoint, and might need other environment variables.

  1. Create an environment variable for your Azure OpenAI endpoint.

    • AZURE_OPENAI_ENDPOINT: This URL is the access point for your Azure OpenAI resource.

  2. Create environment variables based on the location in which your app runs:

    Location Identity Description
    Local Personal For local runtimes with your personal identity, sign in to create your credential with a tool.
    Azure cloud User-assigned managed identity Create an AZURE_CLIENT_ID environment variable containing the client ID of the user-assigned managed identity to authenticate as.

Install Azure Identity client library

Use the following link to install the Azure Identity client library.

Install the .NET Azure Identity client library:

dotnet add package Azure.Identity

Use DefaultAzureCredential

The Azure Identity library's DefaultAzureCredential allows the customer to run the same code in the local development environment and in the Azure Cloud.

For more information on DefaultAzureCredential for .NET, see the DefaultAzureCredential overview.

Take one of the following approaches to set the user-assigned managed identity's client ID:

  • Set environment variable AZURE_CLIENT_ID. The parameterless constructor of DefaultAzureCredential uses the value of this environment variable, if present.

    using Azure;
using Azure.AI.OpenAI;
using Azure.Identity;
using System;
using static System.Environment;

string endpoint = GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT");

OpenAIClient client = new(new Uri(endpoint), new DefaultAzureCredential());

  • Set property ManagedIdentityClientId on DefaultAzureCredentialOptions:

    using Azure;
using Azure.AI.OpenAI;
using Azure.Identity;
using System;
using static System.Environment;

string endpoint = GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT");

var credential = new DefaultAzureCredential(
    new DefaultAzureCredentialOptions
    {
        ManagedIdentityClientId = "<user_assigned_client_id>"
    });

OpenAIClient client = new(new Uri(endpoint), credential);

Resources