Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'Azure Search Error: 403, Server responded with status 403. Error message: Authorization failed' when using Azure RBAC instead of API keys to authenticate to Azure AI Search #624

Closed
HXK8 opened this issue Feb 15, 2024 · 4 comments
Closed

'Azure Search Error: 403, Server responded with status 403. Error message: Authorization failed' when using Azure RBAC instead of API keys to authenticate to Azure AI Search #624

HXK8 opened this issue Feb 15, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@HXK8
Copy link

HXK8 commented Feb 15, 2024
edited
Loading

Describe the bug
When disabling API key authentication on Azure AI Search, the following error appears when entering chat messages:

Error code: 400 - {'error': {'requestid': 'f714cb6b-07ed-4bad-9018-6825fe1901e9', 'code': 400, 'message': 'Invalid AzureCognitiveSearch configuration detected: Call to get ACS index failed. Check you are using correct index, instance and api_key.\nAzure Search Error: 403, message=\'Server responded with status 403. Error message: {"error":{"code":"","message":"Authorization failed."}}\', url=URL(\'https://srch-xxx.search.windows.net/indexes/all-documents-index?api-version=2021-04-30-Preview\')\nServer responded with status 403. Error message: {"error":{"code":"","message":"Authorization failed."}}'}}

Was hoping this would be possible now after #460 and #427 were closed.

To Reproduce
Steps to reproduce the behavior:

  1. Deploy the application through Azure AI Studio.
  2. Enable system-assigned managed identities for Azure AI Services, Azure AI Search, and Azure App Services.
  3. Configure the following Azure RBAC assignments:
Target resource Role Member(s)
Azure AI/OpenAI Services Cognitive Services Contributor Azure AI Search system-assigned managed identity
Azure AI/OpenAI Services Cognitive Services OpenAI Contributor Azure AI Search system-assigned managed identity
Azure AI/OpenAI Services Cognitive Services OpenAI User Azure App Service system-assigned managed identity
Azure AI Search Search Service Contributor Azure AI/OpenAI Services system-assigned managed identity
Azure AI Search Search Index Data Reader Azure App Service system-assigned managed identity
Azure AI/OpenAI Services system-assigned managed identity
  1. In Azure App Services, delete the following application settings:
  • AZURE_OPENAI_KEY
  • AZURE_SEARCH_KEY
  1. Restart Azure App Services.
  2. Test the application.

Expected behavior
The chat application should be able to run queries the same way as before when using API keys to authenticate with Azure AI Search instead of Azure RBAC.

Screenshots
image

Configuration: Please provide the following

  • Azure OpenAI model name and version: gpt-4, 1106-Preview
  • Is chat history enabled? No
  • Are you using data? Yes
    • If so, what data source? Azure AI Search

Additional context
Using the latest code available from the main branch as of ~2024-02-14.
@HXK8 HXK8 added the bug Something isn't working label Feb 15, 2024
@HXK8
Copy link
Author

HXK8 commented Feb 16, 2024

Looks like there was a misconfiguration on my end and the incorrect assignee was selected when assigning some roles. All good now.

Apologies for any false alarms.

Thanks!

@HXK8 HXK8 closed this as completed Feb 16, 2024
@SariyahSid
Copy link

Hi could you help me how did you resolved it? I am facing the same issue.

@HXK8
Copy link
Author

HXK8 commented Dec 10, 2024

Hi @SariyahSid,

In my case, the Azure RBAC roles listed above worked:

Target resource Role Member(s)
Azure AI/OpenAI Services Cognitive Services Contributor Azure AI Search system-assigned managed identity
Azure AI/OpenAI Services Cognitive Services OpenAI Contributor Azure AI Search system-assigned managed identity
Azure AI/OpenAI Services Cognitive Services OpenAI User Azure App Service system-assigned managed identity
Azure AI Search Search Service Contributor Azure AI/OpenAI Services system-assigned managed identity
Azure AI Search Search Index Data Reader Azure App Service system-assigned managed identity
Azure AI/OpenAI Services system-assigned managed identity

I double-checked that the role assignments were assigned to the correct resources. I made a mistake in my original configuration, which is why I thought it was a bug.

That said, Azure AI services have changed dramatically in the past 12 months, so there may be other causes for your errors.

@HXK8
Copy link
Author

HXK8 commented Dec 12, 2024

Hi @SariyahSid,

I had to revisit this use case recently and the list above is incomplete. You should follow the list of role assignments in the following article and make sure all the necessary roles are assigned:

Hope that helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HXK8 @SariyahSid