Error (code ManagedIdentityIsNotEnabled) after deploy a web app from AI Studio

[Katerina-Chernevskaya]

Describe the bug
Hi,

I hope this is the right place to ask this question.
I'm experiencing a repeatable issue when deploying a web app using the button in AI Studio. Since yesterday, every time I deploy the web app and send any text, I receive the same error message:

Error code: 400 - {'error': {'requestid': '010babac-56b0-4756-9807-7f3703fc88bb', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}

I've tested in several tenants. Deployed resources both with Bicep scripts and manually. The issue reproduces every time.

To Reproduce
Steps to reproduce the behavior:

1. Go to Chat section in the AI Project (assume that gpt-4 model was deployed in advance).
2. Click on 'Add your data'.
3. Add an index.
4. Click on Deploy to a web app.
5. Complete the form (either Create a new web app or Update an existing web app) and enable chat history.
6. Click Deploy.
7. Wait till the web app will be deployed (or updated).
8. Open the created (updated) web app.
9. Send "hi".
10. See error

Expected behavior
The web app should reply something like "Hi" without any errors.

Screenshots

Configuration: Please provide the following

• Azure OpenAI model name and version: `gpt-4, version 0613'
• Is chat history enabled: 'yes' (but with disable chat history the error reproduced as well)
• Are you using data? If so, what data source? The index was created in Azure AI Search using Azure Blob Storage as data source
• Verify the startup command and runtime configuration by showing the output of the following az CLI command:

az webapp show --name <app name> --resource-group <resource group name> --query "{startupCommand: siteConfig.appCommandLine, runtime: siteConfig.linuxFxVersion}"

Output:

{
  "runtime": "PYTHON|3.11",
  "startupCommand": "python3 -m gunicorn app:app"
}

Logs

1. If the application deployment is failing, please share the deployment logs using the following az CLI command:

az webapp log deployment show --name <app name> --resource-group <rg name>

N/A

2. If the application is crashing after deployment, please share the application logs using the following az CLI command:

az webapp log tail --name <app name> --resource-group <resource group name>

Output:

2024-07-26T06:19:11  Welcome, you are now connected to log-streaming service.
Starting Log Tail -n 10 of existing logs ----
/appsvctmp/volatile/logs/runtime/container.log
2024-07-26T06:04:40.4897229Z            ^^^^^^^^^^^^^^^^^
2024-07-26T06:04:40.4897262Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post
2024-07-26T06:04:40.4897293Z     return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls)
2024-07-26T06:04:40.4897348Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:04:40.4897380Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request
2024-07-26T06:04:40.4897407Z     return await self._request(
2024-07-26T06:04:40.4897434Z            ^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:04:40.4897468Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request
2024-07-26T06:04:40.4897781Z     raise self._make_status_error_from_response(err.response) from None
2024-07-26T06:04:40.4897863Z openai.BadRequestError: Error code: 400 - {'error': {'requestid': '010babac-56b0-4756-9807-7f3703fc88bb', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}
Ending Log Tail of existing logs ---
Starting Live Log Stream ---
2024-07-26T06:19:27.7903526Z ERROR:root:Exception in send_chat_request
2024-07-26T06:19:27.7924534Z Traceback (most recent call last):
2024-07-26T06:19:27.7924630Z   File "/tmp/8dcad37dd7c728a/app.py", line 318, in send_chat_request
2024-07-26T06:19:27.7924663Z     raw_response = await azure_openai_client.chat.completions.with_raw_response.create(**model_args)   
2024-07-26T06:19:27.7924696Z                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   
2024-07-26T06:19:27.7924726Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_response.py", line 262, in wrapped
2024-07-26T06:19:27.7924754Z     return cast(APIResponse[R], await func(*args, **kwargs))
2024-07-26T06:19:27.7924782Z                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7924850Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/resources/chat/completions.py", line 1295, in create
2024-07-26T06:19:27.7924881Z     return await self._post(
2024-07-26T06:19:27.7924908Z            ^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7924937Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post
2024-07-26T06:19:27.7924968Z     return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls)
2024-07-26T06:19:27.7924996Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7925026Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request
2024-07-26T06:19:27.7925052Z     return await self._request(
2024-07-26T06:19:27.7925092Z            ^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7925123Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request
2024-07-26T06:19:27.7925153Z     raise self._make_status_error_from_response(err.response) from None
2024-07-26T06:19:27.7925206Z openai.BadRequestError: Error code: 400 - {'error': {'requestid': '61184aca-fc0b-4f56-99c0-ab7dd94d3a54', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}
2024-07-26T06:19:27.7925779Z ERROR:root:Error code: 400 - {'error': {'requestid': '61184aca-fc0b-4f56-99c0-ab7dd94d3a54', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}
2024-07-26T06:19:27.7925832Z Traceback (most recent call last):
2024-07-26T06:19:27.7925863Z   File "/tmp/8dcad37dd7c728a/app.py", line 358, in conversation_internal
2024-07-26T06:19:27.7925892Z     result = await stream_chat_request(request_body, request_headers)
2024-07-26T06:19:27.7925922Z              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7925950Z   File "/tmp/8dcad37dd7c728a/app.py", line 345, in stream_chat_request
2024-07-26T06:19:27.7925978Z     response, apim_request_id = await send_chat_request(request_body, request_headers)
2024-07-26T06:19:27.7926007Z                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926033Z   File "/tmp/8dcad37dd7c728a/app.py", line 323, in send_chat_request
2024-07-26T06:19:27.7926075Z     raise e
2024-07-26T06:19:27.7926105Z   File "/tmp/8dcad37dd7c728a/app.py", line 318, in send_chat_request
2024-07-26T06:19:27.7926136Z     raw_response = await azure_openai_client.chat.completions.with_raw_response.create(**model_args)   
2024-07-26T06:19:27.7926167Z                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   
2024-07-26T06:19:27.7926199Z   File "/tmp/8dcad37dd7c728a/antenv/lib/pyth
on3.11/site-packages/openai/_response.py", line 262, in wrapped
2024-07-26T06:19:27.7926232Z     return cast(APIResponse[R], await func(*args, **kwargs))
2024-07-26T06:19:27.7926264Z                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926315Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/resources/chat/completions.py", line 1295, in create
2024-07-26T06:19:27.7926344Z     return await self._post(
2024-07-26T06:19:27.7926371Z            ^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926402Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post
2024-07-26T06:19:27.7926433Z     return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls)
2024-07-26T06:19:27.7926464Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926499Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request
2024-07-26T06:19:27.7926530Z     return await self._request(
2024-07-26T06:19:27.7926574Z            ^^^^^^^^^^^^^^^^^^^^
2024-07-26T06:19:27.7926611Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request
2024-07-26T06:19:27.7926643Z     raise self._make_status_error_from_response(err.response) from None
2024-07-26T06:19:27.7926692Z openai.BadRequestError: Error code: 400 - {'error': {'requestid': '61184aca-fc0b-4f56-99c0-ab7dd94d3a54', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}

[harshbangad]

I am getting the same error. The chat playground works great but webapp gives the error.
I have deployed to a webapp similarly before but started getting this error today. The prior deployed webapps work fine.

[raju-celerinn]

I am getting the same error. The chat playground works great but webapp gives the error.

[harshbangad]

@sarah-widder This is the bug i was referring to.

[wangyuantao]

We are investigating. As mitigation, can you try enable managed identity of azure openAI resource, and add role assignment from azure openAI's identity to search resource? See https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely

[niallmcnulty]

I am getting the same error. The chat playground works great but webapp gives the error.
I have deployed to a webapp similarly before but started getting this error today. The prior deployed webapps work fine.

Same here - exactly the same use case. Was working fine, now not

[harshbangad]

@wangyuantao Tried that. Enabled identity for both search and open ai resource. Also redeployed web app. The error changed but still not working. Attaching screenshot

[kazmiruk]

@wangyuantao have the same error (initial one) and tried your workaround - got the same error as @harshbangad above

[wangyuantao]

There are some known issues in AOAI Studio for the "deploy web app" feature. Please file support tickets so the support team can troubleshoot and suggest workaround.

[harshbangad]

@wangyuantao Can you please add add someone from that team or add the link for the same? Thank you.

[iamramengirl]

Still occurring, could someone please update on the status of this issue?

[harshbangad]

@aahill @wangyuantao @yuantao-wang @mrbullwinkle

[abhahn]

Hi @harshbangad , I just want to confirm a few details with you about your app configuration to see if we can determine a workaround on the webapp side while we are working out issues on the studio deployment side.

1. Is the Azure Search index you're using a vector index?
2. Can you confirm that you are attempting to use system-assigned managed identity for authentication between resources?
3. Could you tell me which of the following variables are set in your environment? I don't need specific values, just whether or not they are set: AZURE_OPENAI_EMBEDDING_ENDPOINT, AZURE_OPENAI_EMBEDDING_KEY, AZURE_OPENAI_EMBEDDING_NAME, AZURE_OPENAI_KEY, AZURE_SEARCH_KEY
4. If attempting to use MI, can you confirm the following RBAC settings on each resource?

Role	Assignee	Resource
Search Index Data Reader	Azure OpenAI (Inference)	Azure AI Search
Search Service Contributor	Azure OpenAI (Inference)	Azure AI Search
Cognitive Services OpenAI User	Web app	Azure OpenAI (Inference)

[harshbangad]

Thanks for the response @abhahn

1. The azure search index is hybrid (vector + keyword)
2. Yes, system assigned managed identity
3. Using default. Did not change any of these. I am just adding my index on Azure AI Studio playground where it works and then deploy as webapp.
4. This is where i believe there is the issue. Before Microsoft made changes, the role assigned was contributor for the open ai for the search resource and worked fine. Now the documentation says making it "Cognitive services open ai contributor". I see that role in overall roles but when we select add role assignment for the search resource and then select the open ai resource- the cognitive service openai user does not appear in the option. I added "search index data contributor" roles for the open ai resource on the search resource. Even tried making the network public. still does not work. I tried the same using open ai studio as well and got the following error in adding a new data source itself. The issue seems with the new role of "Cognitive services open AI contributor"
   

[raju-celerinn]

Try using the API keys instead of managed identities. It is working

…

________________________________ From: Harsh Bangad ***@***.***> Sent: Wednesday, August 7, 2024 10:39 AM To: microsoft/sample-app-aoai-chatGPT ***@***.***> Cc: Narasimha Raju ***@***.***>; Comment ***@***.***> Subject: Re: [microsoft/sample-app-aoai-chatGPT] Error (code ManagedIdentityIsNotEnabled) after deploy a web app from AI Studio (Issue #1024) Thanks for the response @abhahn<https://github.com/abhahn> 1. The azure search index is hybrid (vector + keyword) 2. Yes, system assigned managed identity 3. Using default. Did not change any of these. I am just adding my index on Azure AI Studio playground where it works and then deploy as webapp. 4. This is where i believe there is the issue. Before Microsoft made changes, the role assigned was contributor for the open ai for the search resource and worked fine. Now the documentation says making it "Cognitive services open ai contributor". I see that role in overall roles but when we select add role assignment for the search resource and then select the open ai resource- the cognitive service openai user does not appear in the option. Even tried making the network public. still does not work. I tried the same using open ai studio as well and got the following error in adding a new data source itself. The issue is with the new role of "Cognitive services open AI User" image.png (view on web)<https://github.com/user-attachments/assets/0c138aeb-e8b3-4f56-9cf9-77bdaec86005> — Reply to this email directly, view it on GitHub<#1024 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BJ7BMVV44SP2RWPMFVDDKK3ZQGTYDAVCNFSM6AAAAABLP4LZLOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZSGYZDQMBTGY>. You are receiving this because you commented.Message ID: ***@***.***>

[abhahn]

@harshbangad , I have also noticed that sometimes I am not able to find the correct roles in the Azure portal when attempting to do the assignment.

There is another way to do it through the az CLI which seems to always work for me. Here is the general format of the command that I sometimes use to set up my roles:

az role assignment create --assignee-object-id <system assigned MI object id> --role "<insert role name here>" --scope /subscriptions/<sub id>/resourceGroups/<rg name>/providers/...

For the above you will need to substitute your details into each command for each role you want to apply. For example, if I wanted to assign "Search Index Data Reader" to my AOAI resource, I would substitute <system assigned MI object id> with the MI object ID for my AOAI resource, use "Search Index Data Reader" as the role name, and the full resource path to my search resource (beginning with /subscriptions) as the value for scope. You can modify this command for each of the roles you want to apply for your resources. A comprehensive list of roles can be found in our docs here: https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#role-assignments

Aside from the role assignments being correct, there are just a few other things to check:

1. Is your app using the latest code in our repo? I just recently pushed a change to support system-assigned MI for the embedding dependency, so if your app was deployed prior to the merging of PR Support system assigned managed identity for embedding dependency #1041 you may need to sync with the latest as a part of the mitigation.
2. When using system assigned managed identity, you need to also be sure to delete the keys from your environment. I just deployed a webapp from the Azure OpenAI Studio and did not see keys added to the environment as of today, but you should double check your App Service environment variables to be sure none of the keys are there. If they are set, you can just delete them and restart the app. The relevant environment variables are AZURE_OPENAI_KEY, AZURE_SEARCH_KEY, and AZURE_OPENAI_EMBEDDING_KEY.

What @raju-celerinn has suggested would also work, if you are okay with continuing to use keys. However, for system-assigned MI the most important thing is to be sure that role assignments are correct on resources, you're using the latest code, and the environment does not contain any keys.

Let me know if this helps.

[iamramengirl]

The engineering team is currently working on this and will roll out a fix in about 2 weeks' time.

For the time being, there is a workaround for this, if anyone is referencing this issue.

I. RBAC access control
If your Azure AI Search resource is using Role Based Access Control, you have to allow each service identity-based access to each other. The steps I followed are:

1. Verify that the API access control configuration of the Azure AI Search is RBAC or both.
2. Enable the MI (Managed Identity) for Azure OpenAI and AI Search resources and grant the required RBAC permission following the chart in this documentation. https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#role-assignments.
   Note: The Web App should have automatically been assigned an MI already so there is no need to enable this manually. After which, assign the required RBAC permission for the web app's MI on the Azure OpenAI resource following the above table.

II. API keys access control
Alternatively, if your AI Search resource's access control is configured to API keys only, it is required to manually configure the web app environment variable AZURE_SEARCH_KEY as this will be assigned no value by default. If this variable is empty, the authentication to AI search appears to revert to Role-based access by default. Please also ensure that the AZURE_OPENAI_KEY environment variable is populated.

Hope this helps.

[harshbangad]

I was able to add the roles through azure portal and got it working. Just a note to add, some of the permissions did not have the option at resource level but subscription/ resource group level. Hopefully Microsoft fixes this soon. Thanks for the help.

[chengyuliu-msft]

Thanks @iamramengirl. It works!!!

[Number9Solutions]

@iamramengirl , you mentioned that someone was working on a fix. Is this still in progress?

[imsantoshg]

For the ones who could not apply the workaround, as its bit difficult to understand in first place.
Had to seek help from GPT to apply it step by step.

1. Verify that the API access control configuration of the Azure AI Search is RBAC or both.

--- Inside Azure Search > Visit Keys > API Access control > Select RBAC or both

2. When it comes to applying the permissions from the table suggested above, follow here.

1. Search Index Data Reader Role for Azure OpenAI on Azure AI Search

• Role: Search Index Data Reader
• Assignee: Azure OpenAI
• Resource: Azure AI Search
• Description: This role assignment allows the Azure OpenAI service to query data from the index in Azure AI Search. This is necessary when the inference service (powered by OpenAI) needs to fetch data from the search index.

Steps to Assign:

• In the Azure Portal, navigate to the Azure AI Search resource.
• Go to the "Access control (IAM)" section.
• Click on "Add role assignment."
• Select the Search Index Data Reader role.
• Choose the managed identity of Azure OpenAI as the assignee.
• Confirm the assignment.

2. Search Service Contributor Role for Azure OpenAI on Azure AI Search

• Role: Search Service Contributor
• Assignee: Azure OpenAI
• Resource: Azure AI Search
• Description: This role allows Azure OpenAI to query the index schema, create indexes, data sources, skill sets, indexers, and query the status of the indexer in Azure AI Search.

Steps to Assign:

• Navigate to the Azure AI Search resource.
• Go to the "Access control (IAM)" section.
• Add the Search Service Contributor role.
• Select the managed identity of Azure OpenAI as the assignee.
• Confirm the assignment.

3. Storage Blob Data Contributor Role for Azure OpenAI on Storage Account

• Role: Storage Blob Data Contributor
• Assignee: Azure OpenAI
• Resource: Storage Account
• Description: This role grants Azure OpenAI the ability to read from the input container and write preprocessed results to the output container in the Storage Account.

Steps to Assign:

• Navigate to the Storage Account resource in the Azure Portal.
• Go to "Access control (IAM)."
• Add the Storage Blob Data Contributor role.
• Choose the managed identity of Azure OpenAI as the assignee.
• Confirm the assignment.

4. Cognitive Services OpenAI Contributor Role for Azure AI Search on Azure OpenAI

• Role: Cognitive Services OpenAI Contributor
• Assignee: Azure AI Search
• Resource: Azure OpenAI
• Description: This role allows the Azure AI Search service to act as a custom skill using the Azure OpenAI service.

Steps to Assign:

• Navigate to the Azure OpenAI resource.
• Go to "Access control (IAM)."
• Add the Cognitive Services OpenAI Contributor role.
• Select the managed identity of Azure AI Search as the assignee.
• Confirm the assignment.

5. Storage Blob Data Reader Role for Azure AI Search on Storage Account

• Role: Storage Blob Data Reader
• Assignee: Azure AI Search
• Resource: Storage Account
• Description: This role assignment allows Azure AI Search to read document blobs and chunk blobs from the Storage Account, which is necessary for indexing documents.

Steps to Assign:

• Navigate to the Storage Account resource.
• Go to "Access control (IAM)."
• Add the Storage Blob Data Reader role.
• Choose the managed identity of Azure AI Search as the assignee.
• Confirm the assignment.

6. Cognitive Services OpenAI User Role for Web App on Azure OpenAI

• Role: Cognitive Services OpenAI User
• Assignee: Web app
• Resource: Azure OpenAI
• Description: This role allows the web application to use the Azure OpenAI service for inference, meaning the web app can send requests to the OpenAI service to generate responses.

Steps to Assign:

• Navigate to the Azure OpenAI resource.
• Go to "Access control (IAM)."
• Add the Cognitive Services OpenAI User role.
• Select the managed identity of the Web app as the assignee.
• Confirm the assignment.

Summary:

Each step involves navigating to the relevant Azure resource, accessing the "Access control (IAM)" section, and adding the appropriate role for the managed identity of another service that needs to interact with it. This setup ensures that each service can perform its necessary functions, such as reading data, querying schemas, creating resources, and invoking custom skills, while maintaining security through Azure's RBAC system.

[iamramengirl]

@Number9Solutions Per the last communication with Engineering team, it should be fixed by this time. However, I have not tested yet.

@imsantoshg I'm sorry the workaround steps were not easy to understand. I believe this documentation link summarizes the required RBAC for each service. https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/use-your-data-securely#role-assignments.

[jppech]

issue is still not fixed :(

[niallmcnulty]

I redeployed the app, and it is working for me on an existing web app. I then tried it on a new webapp and got the same error (exactly the same settings as the working one)

…

On Sun, 01 Sep 2024 at 17:06, jppech ***@***.***> wrote: Capture.d.ecran.2024-09-01.170504.png (view on web) <https://github.com/user-attachments/assets/e6a51f6a-60c3-4442-9a96-2062b0a3379c> issue is still not fixed :( — Reply to this email directly, view it on GitHub <#1024 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAZWXOO6UKZ24EUYRLG77O3ZUMUORAVCNFSM6AAAAABLP4LZLOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRTGM4DIMBTGU> . You are receiving this because you commented.Message ID: ***@***.***>

[joacosnchz]

Hi @harshbangad , I just want to confirm a few details with you about your app configuration to see if we can determine a workaround on the webapp side while we are working out issues on the studio deployment side.

1. Is the Azure Search index you're using a vector index?
2. Can you confirm that you are attempting to use system-assigned managed identity for authentication between resources?
3. Could you tell me which of the following variables are set in your environment? I don't need specific values, just whether or not they are set: AZURE_OPENAI_EMBEDDING_ENDPOINT, AZURE_OPENAI_EMBEDDING_KEY, AZURE_OPENAI_EMBEDDING_NAME, AZURE_OPENAI_KEY, AZURE_SEARCH_KEY
4. If attempting to use MI, can you confirm the following RBAC settings on each resource?

Role Assignee Resource
Search Index Data Reader Azure OpenAI (Inference) Azure AI Search
Search Service Contributor Azure OpenAI (Inference) Azure AI Search
Cognitive Services OpenAI User Web app Azure OpenAI (Inference)

This solved it for me. The created web app deployment did not include some of these environment variables so I had to fill them manually.

In my case, I kept the api keys authentication. I had to fill AZURE_SEARCH_KEY using the key that appears on the Azure Search resource > Settings > Keys and AZURE_OPENAI_EMBEDDING_NAME with the name of the deployed embedding model, in my case text-embedding-ada-002.

Hope this helps for future reference.

[robvoi]

I run into the same error.
Filled the missing environment variables. But the error persists.

Is there any update on this issue?

[harshbangad]

Thanks @joacosnchz - Going to environment variables fixed it for me.
So, this bug is still not fixed by Microsoft [deployment through azure ai studio is still broken]
So the process works fine for indexes which i have set up to re-index daily and update the webapp. But anytime for a new deployment or updating existing ones- it passes the keys as blank for search and open ai embedding name.

Also, is there a way to modify the indexes/ job to pick only new documents while re-indexing? Every time even if i remove older documents from source and add new ones- the app response suggests answers from both new and old documents in reference[ old should ideally not be there as its removed from the source]- How to modify this from azure ai studio/ index job?