Tip: Authenticate using API Key in AzureOpenAIVectorizerParameters

[danyhersco]

Technical Feedback

I wanted to implement Agentic Retrieval into my Python app using Azure AI Search. Some Microsoft resources and code samples I looked into (see below) did not work for me. The root of the issue was when creating a vectorizer in my search index, and more particularly the AzureOpenAIVectorizerParameters object. The code samples instantiated the class the following way:

parameters = AzureOpenAIVectorizerParameters(
    resource_url=self.embeddings.open_ai_endpoint,
    deployment_name=self.embeddings.open_ai_deployment,
    model_name=self.embeddings.open_ai_model_name,
),

The error I got: Message: Could not complete model action. The service failed to authenticate to the model endpoint.

What solved it is to also pass the API Key using the api_key argument. It might have worked for devs that created those code samples (I tend to get confused with credentials, Azure Portal vs Azure Project creds, whether I need a Foundry or Hub-based project, etc), but the key definitely solved it for me.

Not sure this is such an insightful feedback, but thought it could be useful for people who might be blocked the same issue as me, as those code samples are among the first search results.

Some of the resources:

• https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/app/backend/prepdocslib/searchmanager.py#L106
• https://github.com/Azure-Samples/azure-search-python-samples/blob/main/Quickstart-Agentic-Retrieval/quickstart-agentic-retrieval.ipynb

I'm also curious as to why it didn't authenticate... I'd be grateful for any guidance :)

Desired Outcome

A successfully authenticated Vectorizer for my search index.

Current Workaround

Solved, did not try any workaround.

[pamelafox]

If you are using keyless authentication, you also need to set up the RBAC role to allow the search service to reach the OpenAI endpoint. This is how we do it in azure-search-openai-demo:

module openAiRoleSearchService 'core/security/role.bicep' = {
  scope: openAiResourceGroup
  name: 'openai-role-searchservice'
  params: {
    principalId: searchService.outputs.principalId
    roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
    principalType: 'ServicePrincipal'
  }
}

Here's documentation that shows other ways to do it:

https://learn.microsoft.com/en-us/azure/search/search-howto-managed-identities-data-sources?tabs=portal-sys%2Cportal-user#assign-a-role

[HeidiSteen]

+1 to what Pam said. We're moving all of our docs and samples to Microsoft Entra ID authentication and role-based access control. Here's an article intended for people who do local testing (a REST client, IDE, Jupyter notebook). https://learn.microsoft.com/en-us/azure/search/search-get-started-rbac?pivots=python If you're a member of multiple tenants or Azure subscriptions, this doc gives you steps for checking and setting those variables on your device.

If you're setting up an app, this doc has better guidance: https://learn.microsoft.com/en-us/azure/search/keyless-connections?tabs=csharp%2Cazure-cli