using Entra ID for AOAI

CawaMS · CawaMS · commit c336956008b8 · 2025-02-03T22:57:29.000-08:00
diff --git a/OutputCacheDallESample/GenerateImageSC.cs b/OutputCacheDallESample/GenerateImageSC.cs
@@ -4,6 +4,7 @@
 using Redis.OM.Vectorizers;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using OpenAI.Images;
+using Azure.Identity;
 
 namespace OutputCacheDallESample
 {
@@ -29,7 +30,8 @@ await context.Response.WriteAsync("<!DOCTYPE html><html><body> " +
             }
             else 
             {
-                AzureOpenAIClient client = new(new Uri(endpoint), new AzureKeyCredential(key));
+                // AzureOpenAIClient client = new(new Uri(endpoint), new AzureKeyCredential(key));
+                AzureOpenAIClient client = new(new Uri(endpoint), new DefaultAzureCredential());
 
                 ImageClient imageClient = client.GetImageClient("dall-e-3");
                 GeneratedImage generatedImage = await imageClient.GenerateImageAsync(_prompt, new ImageGenerationOptions() {
diff --git a/OutputCacheDallESample/GenerateImageSDK.cs b/OutputCacheDallESample/GenerateImageSDK.cs
@@ -1,4 +1,5 @@
 ﻿using Azure.AI.OpenAI;
+using Azure.Identity;
 using Azure;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using OpenAI.Images;
@@ -12,7 +13,9 @@ public static async Task GenerateImageSDKAsync(HttpContext context, string _prom
             string endpoint = _config["AZURE_OPENAI_ENDPOINT"];
             string key = _config["apiKey"];
 
-            AzureOpenAIClient client = new(new Uri(endpoint), new AzureKeyCredential(key));
+            // AzureOpenAIClient client = new(new Uri(endpoint), new AzureKeyCredential(key));
+
+            AzureOpenAIClient client = new(new Uri(endpoint), new DefaultAzureCredential());
 
             ImageClient imageClient = client.GetImageClient("dall-e-3");
             GeneratedImage generatedImage = await imageClient.GenerateImageAsync(_prompt, new ImageGenerationOptions()
diff --git a/OutputCacheDallESample/OutputCacheDallESample.csproj b/OutputCacheDallESample/OutputCacheDallESample.csproj
@@ -10,8 +10,10 @@
 
   <ItemGroup>
     <PackageReference Include="Azure.AI.OpenAI" Version="2.1.0" />
-    <PackageReference Include="Microsoft.AspNetCore.OutputCaching.StackExchangeRedis" Version="9.0.0" />
-    <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="9.0.0" />
+    <PackageReference Include="Azure.Identity" Version="1.13.2" />
+    <PackageReference Include="Microsoft.AspNetCore.OutputCaching.StackExchangeRedis" Version="9.0.1" />
+    <PackageReference Include="Microsoft.Azure.StackExchangeRedis" Version="3.2.1" />
+    <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="9.0.1" />
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
     <PackageReference Include="Redis.OM" Version="0.7.6" />
     <PackageReference Include="Redis.OM.Vectorizers" Version="0.7.6" />
diff --git a/OutputCacheDallESample/Program.cs b/OutputCacheDallESample/Program.cs
@@ -1,5 +1,6 @@
 using Microsoft.AspNetCore.OutputCaching;
 using OutputCacheDallESample;
+using Azure.AI.OpenAI;
 using Redis.OM;
 using Redis.OM.Vectorizers;
 
diff --git a/infra/app/OutputCacheDallESample.bicep b/infra/app/OutputCacheDallESample.bicep
@@ -71,13 +71,100 @@ module fetchLatestImage '../modules/fetch-container-image.bicep' = {
   }
 }
 
-resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
+resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
+  name: '${substring(name, 0, 15)}-keyvault'
+  location: location
+  properties: {
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    tenantId: subscription().tenantId
+    accessPolicies: [
+      {
+        tenantId: subscription().tenantId
+        objectId: app.identity.principalId
+        permissions: {
+          secrets: [
+            'get'
+          ]
+        }
+      }
+    ]
+  }
+}
+
+resource applicationinsights__connectionstring 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
+  parent: keyVault
+  name: 'applicationinsights--connectionstring'
+  properties: {
+    value: applicationInsights.properties.ConnectionString
+  }
+}
+
+resource apiKey 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
+  parent: keyVault
+  name: 'apiKey'
+  properties:{
+    value: cognitiveAccount.listKeys().key1
+  }
+}
+
+resource azure__openai__endpoint 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
+  parent: keyVault
+  name: 'azure--openai--endpoint'
+  properties:{
+    value: cognitiveAccount.properties.endpoint
+  }
+}
+
+resource aoai__resourcename 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
+  parent: keyVault
+  name: 'aoai--resourcename'
+  properties:{
+    value: cognitiveAccount.name
+  }
+}
+
+resource aoai__embedding__deploymentname 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
+  parent: keyVault
+  name: 'aoai--embedding--deploymentname'
+  properties: {
+    value: '${name}-textembedding'
+  }
+}
+
+resource api__url 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
+  parent: keyVault
+  name: 'api--url'
+  properties:{
+    value: '${cognitiveAccount.properties.endpoint}openai/deployments/Dalle3/images/generations?api-version=2024-02-01'
+  }
+}
+
+resource redis__cache__connection 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
+  parent: keyVault
+  name: 'redis--cache--connection'
+  properties: {
+    value: '${redisCache.properties.hostName}:10000,password=${redisdatabase.listKeys().primaryKey},ssl=True,abortConnect=False'
+  }
+}
+
+resource semantic__cache__azure__provider 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
+  parent: keyVault
+  name: 'semantic--cache--azure--provider'
+  properties: {
+    value: 'rediss://:${redisdatabase.listKeys().primaryKey}@${redisCache.properties.hostName}:10000'
+  }
+}
+
+resource app 'Microsoft.App/containerApps@2024-03-01' = {
   name: name
   location: location
   tags: union(tags, {'azd-service-name':  'OutputCacheDallESample' })
   dependsOn: [ acrPullRole]
   identity: {
-    type: 'UserAssigned'
+    type: 'UserAssigned, SystemAssigned'
     userAssignedIdentities: { '${identity.id}': {} }
   }
   properties: {
@@ -95,6 +182,38 @@ resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
         }
       ]
       secrets: [
+        {
+          name: 'applicationinsights--connectionstring'
+          value: applicationInsights.properties.ConnectionString
+        }
+        {
+          name: 'api--key'
+          value: cognitiveAccount.listKeys().key1
+        }
+        {
+          name: 'azure--openai--endpoint'
+          value: cognitiveAccount.properties.endpoint
+        }
+        {
+          name: 'aoai--resourcename'
+          value: cognitiveAccount.name
+        }
+        {
+          name: 'aoai--embedding--deploymentname'
+          value: '${name}-textembedding'
+        }
+        {
+          name: 'api--url'
+          value: '${cognitiveAccount.properties.endpoint}openai/deployments/Dalle3/images/generations?api-version=2024-02-01'
+        }
+        {
+          name: 'redis--cache--connection'
+          value: '${redisCache.properties.hostName}:10000,password=${redisdatabase.listKeys().primaryKey},ssl=True,abortConnect=False'
+        }
+        {
+          name: 'semantic--cache--azure--provider'
+          value: 'rediss://:${redisdatabase.listKeys().primaryKey}@${redisCache.properties.hostName}:10000'
+        }
       ]
     }
     template: {
@@ -105,39 +224,39 @@ resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
           env: [
             {
               name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
-              value: applicationInsights.properties.ConnectionString
+              secretRef: 'applicationinsights--connectionstring'
             }
             {
               name: 'PORT'
               value: '8080'
             }
             {
               name: 'apiKey'
-              value: cognitiveAccount.listKeys().key1
+              secretRef: 'api--key'
             }
             {
               name: 'AZURE_OPENAI_ENDPOINT'
-              value: cognitiveAccount.properties.endpoint
+              secretRef: 'azure--openai--endpoint'
             }
             {
               name: 'AOAIResourceName'
-              value: cognitiveAccount.name
+              secretRef: 'aoai--resourcename'
             }
             {
               name: 'AOAIEmbeddingDeploymentName'
-              value: '${name}-textembedding'
+              secretRef: 'aoai--embedding--deploymentname'
             }
             {
               name: 'apiUrl'
-              value: '${cognitiveAccount.properties.endpoint}openai/deployments/Dalle3/images/generations?api-version=2024-02-01'
+              secretRef: 'api--url'
             }
             {
               name: 'RedisCacheConnection'
-              value: '${redisCache.properties.hostName}:10000,password=${redisdatabase.listKeys().primaryKey},ssl=True,abortConnect=False'
+              secretRef: 'redis--cache--connection'
             }
             {
               name:'SemanticCacheAzureProvider'
-              value: 'rediss://:${redisdatabase.listKeys().primaryKey}@${redisCache.properties.hostName}:10000'
+              secretRef: 'semantic--cache--azure--provider'
             }
           ]
           resources: {
@@ -188,13 +307,33 @@ resource model 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01' = [
   }
 }]
 
+resource openai_CognitiveServicesOpenAIUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(cognitiveAccount.id, identity.id, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'))
+  properties: {
+    principalId: identity.properties.principalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd')
+    principalType: 'ServicePrincipal'
+  }
+  scope: cognitiveAccount
+}
+
+resource openai_CognitiveServicesOpenAIContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(cognitiveAccount.id, app.id, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442'))
+  properties: {
+    principalId: app.identity.principalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442')
+    principalType: 'ServicePrincipal'
+  }
+  scope: cognitiveAccount
+}
+
 //azure cache for redis resource
 resource redisCache 'Microsoft.Cache/redisEnterprise@2024-02-01' = {
   location:location
   name: '${name}-rediscache'
   sku:{
     capacity:2
-    name: 'Enterprise_E10'
+    name: 'Enterprise_E1'
   }
 }
 resource redisdatabase 'Microsoft.Cache/redisEnterprise/databases@2024-02-01' = {

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`using Redis.OM.Vectorizers;`
`5`	`5`	`using Microsoft.AspNetCore.DataProtection.KeyManagement;`
`6`	`6`	`using OpenAI.Images;`
	`7`	`+using Azure.Identity;`
`7`	`8`
`8`	`9`	`namespace OutputCacheDallESample`
`9`	`10`	`{`
`@@ -29,7 +30,8 @@ await context.Response.WriteAsync("<!DOCTYPE html><html><body> " +`
`29`	`30`	`}`
`30`	`31`	`else`
`31`	`32`	`{`
`32`		`- AzureOpenAIClient client = new(new Uri(endpoint), new AzureKeyCredential(key));`
	`33`	`+ // AzureOpenAIClient client = new(new Uri(endpoint), new AzureKeyCredential(key));`
	`34`	`+ AzureOpenAIClient client = new(new Uri(endpoint), new DefaultAzureCredential());`
`33`	`35`
`34`	`36`	`ImageClient imageClient = client.GetImageClient("dall-e-3");`
`35`	`37`	`GeneratedImage generatedImage = await imageClient.GenerateImageAsync(_prompt, new ImageGenerationOptions() {`