Skip to content

Provision an OpenAI account with GPT model and RBAC role for your user account for keyless access.

License

Notifications You must be signed in to change notification settings

Azure-Samples/azure-openai-keyless-python

Repository files navigation

Azure OpenAI resource with keyless auth (Python)

Open in GitHub Codespaces Open in Dev Containers

The purpose of this repository is to provision an Azure OpenAI account with an RBAC role permission for your user account to access, so that you can use the OpenAI API SDKs with keyless (Entra) authentication.

Features

  • Provisions an Azure OpenAI account with keyless authentication enabled
  • Grants the "Cognitive Services OpenAI User" RBAC role to your user account
  • Deploys a gpt-4o-mini model by default, but you can modify the Bicep template to deploy other models
  • Example script uses the openai Python package to make a request to the Azure OpenAI API

Architecture diagram

Architecture diagram: Microsoft Entra managed identity connecting to Azure AI services

Getting started

You have a few options for getting started with this template. The quickest way to get started is GitHub Codespaces, since it will setup all the tools for you, but you can also set it up locally.

GitHub Codespaces

You can run this template virtually by using GitHub Codespaces. The button will open a web-based VS Code instance in your browser:

  1. Open the template (this may take several minutes):

    Open in GitHub Codespaces

  2. Open a terminal window

  3. Continue with the deployment steps

VS Code Dev Containers

A related option is VS Code Dev Containers, which will open the project in your local VS Code using the Dev Containers extension:

  1. Start Docker Desktop (install it if not already installed)

  2. Open the project:

    Open in Dev Containers

  3. In the VS Code window that opens, once the project files show up (this may take several minutes), open a terminal window.

  4. Continue with the deployment steps

Local environment

  1. Make sure the following tools are installed:

  2. Make a new directory called azure-openai-keyless-python and clone this template into it using the azd CLI:

    azd init -t azure-openai-keyless-python

    You can also use git to clone the repository if you prefer.

  3. Continue with the deployment steps

Deployment

  1. Login to Azure:

    azd auth login

    For GitHub Codespaces users, if the previous command fails, try:

     azd auth login --use-device-code
  2. Provision the OpenAI account:

    azd provision

    It will prompt you to provide an azd environment name (like "chat-app"), select a subscription from your Azure account, and select a location where the OpenAI model is available (like "canadaeast"). Then it will provision the resources in your account and deploy the latest code.

    ⚠️ If you get an error or timeout with deployment, changing the location can help, as there may be availability constraints for the OpenAI resource. To change the location run:

    azd env set AZURE_LOCATION "yournewlocationname"
  3. When azd has finished, you should have an OpenAI account you can use locally when logged into your Azure account. You can output the necessary environment variables into an .env file by running a script:

    For Mac OS X / Linux:

    ./write_dot_env.sh

    For Windows:

    pwsh ./write_dot_env.ps1
  4. Then you can proceed to run the Python example.

Running the Python example

  1. If you're not already running in a Codespace or Dev Container, create a Python virtual environment.

  2. Install the requirements:

    python -m pip install -r requirements.txt
  3. Run the example:

    python example.py

    This will use the OpenAI API SDK to make a request to the OpenAI API and print the response.

Guidance

Costs

This template creates only the Azure OpenAI resource, which is free to provision. However, you will be charged for the usage of the Azure OpenAI chat completions API. The pricing is based on the number of tokens used, with around 1-3 tokens used per word. You can find the pricing details for the OpenAI API on the Azure Cognitive Services pricing page.

Security guidelines

This template uses keyless authentication for authenticating to the Azure OpenAI resource. This is a secure way to authenticate to Azure resources without needing to store credentials in your code. Your Azure user account is assigned the "Cognitive Services OpenAI User" role, which allows you to access the OpenAI resource. You can find more information about the permissions of this role in the Azure OpenAI documentation.

For further security, you could also deploy the Azure OpenAI inside a private virtual network (VNet) and use a private endpoint to access it. This would prevent the OpenAI resource from being accessed from the public internet.

Resources

About

Provision an OpenAI account with GPT model and RBAC role for your user account for keyless access.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks