unable to access authentication token of cognitive services endpoint in Azure

Question

I am trialling this tutorial - https://github.com/Azure-Samples/openai/blob/cf0f19f36a30925e3891137b0bc2539e25687cac/Basic_Samples/AAD_Integration/aad_integration_example_sdk.ipynb

In Azure, I have created different resources groups - there is one for Azure ML Workspace and other for Azure Open AI. I might not be following the tutorial exactly as instead of running the code from local machine, I am running the notebook from Azure machine learning workspace (thus I haven't run az login for example).

I have assigned Cognitive Services User role to Azure ML Workspace called aoai-example-workspace

I am getting authentication error when I run the last cell. How do I solve this issue?

Code

prompt = "Once upon a time"

response = get_completion(
    prompt=prompt,
    temperature=0.7,
    max_tokens=300,
    top_p=0.5,
    stop=None
)

# printing the response
print(response)

Error

EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
Require a package "gir1.2-secret-1" which could be installed by:
        sudo apt install gir1.2-secret-1
        
Traceback (most recent call last):
  File "/home/trusted-service-user/cluster-env/env/lib/python3.8/site-packages/msal_extensions/libsecret.py", line 34, in <module>
    gi.require_version("Secret", "1")  # Would require a package gir1.2-secret-1
  File "/home/trusted-service-user/cluster-env/env/lib/python3.8/site-packages/gi/__init__.py", line 126, in require_version
    raise ValueError('Namespace %s not available' % namespace)
ValueError: Namespace Secret not available
SharedTokenCacheCredential.get_token failed: Shared token cache unavailable
VisualStudioCodeCredential.get_token failed: Failed to get Azure user details from Visual Studio Code.
AzureCliCredential.get_token failed: Azure CLI not found on path
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
    EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
    ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
    SharedTokenCacheCredential: Shared token cache unavailable
    VisualStudioCodeCredential: Failed to get Azure user details from Visual Studio Code.
    AzureCliCredential: Azure CLI not found on path
---------------------------------------------------------------------------
ClientAuthenticationError                 Traceback (most recent call last)
/tmp/ipykernel_7117/2959706531.py in <module>
      1 prompt = "Once upon a time"
      2 
----> 3 response = get_completion(
      4     prompt=prompt,
      5     temperature=0.7,

/tmp/ipykernel_7117/1869397622.py in get_completion(**kwargs)
     13 def get_completion(**kwargs):
     14     # Refresh token
---> 15     refresh_token()
     16     # Set the API key to be your Bearer token (yes this could be optimizaed to not do this every time :D)
     17     openai.api_key = token.token

/tmp/ipykernel_7117/1869397622.py in refresh_token()
      8     # Check if Azure token is still valid
      9     if not token or datetime.datetime.fromtimestamp(token.expires_on) < datetime.datetime.now():
---> 10         token = default_credential.get_token("https://cognitiveservices.azure.com")
     11         print(token)
     12 

~/cluster-env/env/lib/python3.8/site-packages/azure/identity/_credentials/default.py in get_token(self, *scopes, **kwargs)
    142             return token
    143 
--> 144         return super(DefaultAzureCredential, self).get_token(*scopes, **kwargs)

~/cluster-env/env/lib/python3.8/site-packages/azure/identity/_credentials/chained.py in get_token(self, *scopes, **kwargs)
     88         message = self.__class__.__name__ + " failed to retrieve a token from the included credentials." + attempts
     89         _LOGGER.warning(message)
---> 90         raise ClientAuthenticationError(message=message)

ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
    EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
    ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
    SharedTokenCacheCredential: Shared token cache unavailable
    VisualStudioCodeCredential: Failed to get Azure user details from Visual Studio Code.
    AzureCliCredential: Azure CLI not found on path

Answer 1

The DefaultAzureCredential operation is trying to get authentication details on various sources (environment credentials, managed identity credentials, etc.), which is a great thing. But as mentioned in the logs, none of those possibilities are returning valid credentials:

EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential: Shared token cache unavailable
VisualStudioCodeCredential: Failed to get Azure user details from Visual Studio Code.
AzureCliCredential: Azure CLI not found on path

So you need to ensure that you have credentials. There are several possibilities for that. Two of them would be:

• on your compute used to run your notebook: during cluster creation or when editing compute cluster details, in the Advanced settings, toggle Assign a managed identity and specify a system-assigned identity or user-assigned identity.
• or add steps in your notebook to authenticate (using an app => client ID / client secret) before the step where you have the error

Depending on which solution you chose, don't forget to add the proper RBAC role on the Azure OpenAI service for the next steps.

Interesting documentation links for your case: here Another interesting blog post showing the various options depending on where it is running: here