Example Azure OpenAI deployment and RBAC role for your user account for keyless access
MIT License
⭐ If you like this sample, star it on GitHub — it helps a lot!
Overview • Get started • Run the sample • Resources • Guidance
This sample shows how to to provision an Azure OpenAI account with an RBAC role permission for your user account to access, so that you can use the OpenAI API SDKs with keyless (Entra) authentication. Keyless authentication is a recommended security practice to reduce risks with API keys.
There are multiple ways to get started with this project.
The quickest way is to use GitHub Codespaces that provides a preconfigured environment for you. Alternatively, you can set up your local environment following the instructions below.
You need to install following tools to work on your local machine:
pwsh.exe
from a PowerShell command. If this fails, you likely need to upgrade PowerShell.Then you can get the project code:
You can run this project directly in your browser by using GitHub Codespaces, which will open a web-based VS Code:
A similar option to Codespaces is VS Code Dev Containers, that will open the project in your local VS Code instance using the Dev Containers extension.
You will also need to have Docker installed on your machine to run the container.
Microsoft.Authorization/roleAssignments/write
permissions, such as Role Based Access Control Administrator, User Access Administrator, or Owner. If you don't have subscription-level permissions, you must be granted RBAC for an existing resource group and deploy to that existing group by running these commands:
azd env set AZURE_RESOURCE_GROUP <name of existing resource group>
azd env set AZURE_LOCATION <location of existing resource group>
Microsoft.Resources/deployments/write
permissions on the subscription level.Pricing varies per region and usage, so it isn't possible to predict exact costs for your usage. However, you can use the Azure pricing calculator for the resources below to get an estimate.
azd auth login
.azd provision
to provision the Azure resources.
eastus2
. See OpenAI model availability table for more information.The deployment process will take a few minutes. Once it's done, a .env
file will be created in the root folder with the environment variables needed to run the application.
First make sure you have provisioned the Azure OpenAI resources, and that you have the .env
file in the root folder.
npm install
to install the dependencies.npm start
to run the example.This will use the OpenAI SDK to make a request to the OpenAI API and print the response to the console.
To clean up all the Azure resources created by this sample:
azd down --purge
y
The resource group and all the resources will be deleted.
Here are some resources to learn more about Azure OpenAI and related technologies:
You can also find more Azure AI samples here.
This template uses model gpt-35-turbo (0613)
which may not be available in all Azure regions. Check for up-to-date region availability and select a region during deployment accordingly.
We recommend using East US 2
if you're unsure of which region to choose.
This template has Managed Identity built in to eliminate the need for developers to manage these credentials. Applications can use managed identities to obtain Microsoft Entra tokens without having to handle any secrets in the code. Additionally, we're using Microsoft Security DevOps GitHub Action to scan the infrastructure-as-code files and generates a report containing any detected issues.
If you have any issue when running or deploying this sample, please check the troubleshooting guide. If you can't find a solution to your problem, please open an issue in this repository.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.